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Preface 



AISC 2004, the 7th International Conference on Artificial Intelligence and Sym- 
bolic Computation, was the latest in the series of specialized biennial conferences 
founded in 1992 by Jacques Calmet of the Universitat Karlsruhe and John Camp- 
bell of University College London with the initial title Artificial Intelligence and 
Symbolic Mathematical Computing (AISMC). The M disappeared from the title 
between the 1996 and 1998 conferences. As the editors of the AISC 1998 pro- 
ceedings said, the organizers of the current meeting decided to drop the adjective 
‘mathematieaV and to emphasize that the conference is concerned with all aspects 
of symbolic computation in AI: mathematical foundations, implementations, and 
applications, including applications in industry and academia. 

This remains the intended profile of the series, and will figure in the call for 
papers for AISC 2006, which is intended to take place in China. The distribution 
of papers in the present volume over all the areas of AISC happens to be rather 
noticeably mathematical, an effect that emerged because we were concerned to 
select the best relevant papers that were offered to us in 2004, irrespective of 
their particular topics; hence the title on the cover. Nevertheless, we encourage 
researchers over the entire spectrum of AISC, as expressed by the 1998 quotation 
above, to be in touch with us about their interests and the possibility of eventual 
submission of papers on their work for the next conference in the series. 

The papers in the present volume are evidence of the health of the field of 
AISC. Additionally, there are two reasons for optimism about the continuation 
of this situation. 

The first is that almost all the items in the list of useful areas for future 
research that the editors of the proceedings of the first conference in 1992 sug- 
gested in a ‘state of the field’ paper there are represented in AISC 2004. Many 
have of course been present in other AISC conferences too, but never so many as 
in this year’s conference: theorem proving, expert systems, qualitative reason- 
ing, Grobner bases, differential and integral expressions, computational group 
theory, constraint-based programming, specification (implying verification), and 
instances of automated learning, for example. The only major items from the 
1992 list that would be needed here to make up what poker players might call a 
full house are knowledge representation and intelligent user interfaces for math- 
ematical tasks and mathematical reasoning - but while a word search in this 
volume may not find them, ingredients of both are undoubtedly present this 
year. (For a hint, see the next paragraph.) 

The second of our reasons for an optimistic view of AISC is the maturation 
of a scientific proposal or prediction that dates back to 1985. In founding the 
Journal of Symbolic Computation in that year, one of us proposed that SC 
should encompass both exact mathematical algorithmics (computer algebra) and 
automated reasoning. Only in recent years has an integration and interaction of 
these two fields started to materialize. Since 2001 in particular, this has given 
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rise to the MKM (mathematical knowledge management) ‘movement’, which 
considers seriously the automation of the entire process of mathematical theory 
exploration. This is now one of the most promising areas for the application 
of AI methods in general (for invention or discovery of mathematical concepts, 
problems, theorems and algorithms) to mathematics/SC and vice versa. 

We are happy to be continuing the fruitful collaboration with Springer which 
started with the first AISMC conference in 1992 and which permitted the pub- 
lication of the proceedings in the Lecture Notes in Computer Science (LNCS 
737, 958, 1138) series from 1992 to 1996 and the Lecture Notes in Artificial 
Intelligence (LNAI 1476, 1930, 2385) series subsequently. 

We, the AISC steering committee, and the organizers of the conference, are 
grateful to the following bodies for their financial contributions towards its op- 
eration and success: Linzer Hochschulfonds, Upper Austrian Government, FWF 
(Austrian Science Foundation), Raiffeisenlandesbank Upper Austria, Siemens 
Austria, IBM Austria, and CoLogNET. 

Our thanks are also due to the members of the program committee and 
several additional anonymous referees, and to those who ensured the effective 
running of the actual conference and its Web sites. 

In this latter connection, we administered the submission and selection of pa- 
pers for AISC 2004 entirely through special-purpose conference software for the 
first time in the history of AISC, using the START V2 conference manager de- 
scribed at www.softconf.com. This contributed substantially to the efficiency 
of the whole process, and allowed us to respect an unusually tight set of dead- 
lines. We appreciate the prompt and helpful advice on using this software that 
we received from Rich Gerber whenever we needed it. 

The effectiveness of the final stage of production of this volume was due 
mainly to the intensive work of Theodoros Pagtzis. We express our gratitude to 
him. 
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The Algorithmization of Physics: 
Math Between Science and Engineering* 



Markus Rosenkranz 

Johann Radon Institute for Computational and Applied Mathematics 
Austrian Academy of Sciences, A-4040 Linz, Austria 
Markus . RosenkranzOoeaw . ac . at 



Abstract. I give a concise description of my personal view on symbolic 
computation, its place within mathematics and its relation to algebra. 
This view is exemplified by a recent result from my own research: a new 
symbolic solution method for linear two-point boundary value problems. 
The essential features of this method are discussed with regard to a 
potentially novel line of research in symbolic computation. 



1 Physics: The Source and Target of Math 

What is the nature of mathematics! Over the centuries, philosophers and math- 
ematicians have proposed various different answers to this elusive and intriguing 
question. Any reasonable attempt to systematically analyze these answers is a 
major epistemological endeavor. The goal of this presentation is more modest: 
I want to give you a personal (partial) answer to the question posed above, an 
answer that highlights some aspects of mathematics that I consider crucial from 
the perspective of symbolic computation. At the end of my presentation, I will 
substantiate my view by a recent example from my own research. 

According to [4], humankind has cultivated the art of rational problem solving 
in a fundamental three-step rhythm: 

1 . Observation: The problem of the real world is specified by extracting relevant 
data in an abstract model. 

2. Reasoning: The model problem is solved by suitable reasoning steps, carried 
out solely in the abstract model. 

3. Action: The model solution is applied in the real world by effectuating the 
desired result. 

In this view, mathematics is not limited to any particular objects like numbers 
or figures; it is simply “reasoning in abstract models” (item number 2 in the 
enumeration above). For highlighting its place in the overall picture, let us take 
up the example of physics - of course, one can make similar observations for 
other disciplines like chemistry, biology, economics or psychology. 

We can see physics as a natural science that deals with observations about 
matter and energy (item number 1 in the three-step rhythm). In doing so, it 

* This work is supported by the Austrian Science Foundation FWF in project F1322. 
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extracts various patterns from the mass of empirical data and tabulates them in 
natural laws. It is here that it comes in contact with mathematics, which provides 
a rich supply of abstract structures for clothing these laws. In this process, 
physicists have often stimulated deep mathematical research for establishing the 
concepts asked for (e.g. distributions for modeling point sources), sometimes 
they have also found ready-made material in an unexpected corner of “pure 
mathematics” (e.g. Rogers-Ramanujan identities for kinetic gas theory); most of 
the time, however, we see a parallel movement of mutual fertilization. 

As a branch of technical engineering, physics is utilized for constructing 
the machines that we encounter in the world of technology (item number 3 
in the three-step rhythm). Engineers are nowadays equipped with a huge body 
of powerful applied mathematics - often hidden in the special-purpose software 
at their disposal - for controlling some processes of nature precisely in the way 
desired at a certain site (e.g. the temperature profile of a chemical reactor). If 
we are inclined to look down to this “down-to-earth math” , we should not for- 
get that it is not only the most prominent source of our money but also the 
immediate reason for our present-day prosperity. 

Of course, the above assignment 1 ~ natural sciences (e.g. theoretical phy- 
sics), 2 ~ formal science (i.e. mathematics), 3 ~ technical sciences (e.g. engi- 
neering physics) must be understood cum grano salis: Abstract “mathematical” 
reasoning steps are also employed in the natural and technical sciences, and a 
mathematician will certainly benefit from understanding the physical context of 
various mathematical structures. Besides this, the construction of models is also 
performed within mathematics when powerful concepts are invented for solving 
math-internal problems in the same three-step rhythm (e.g. 1 ~ extension fields, 
2 ~ Galois groups, 3 ~ solvability criterion). 

2 Algebraization: The Commitment to Computing 

The above view of mathematics prefers its dynamical side (problem solving) 
over its static one (knowledge acquisition), but actually the two sides are inti- 
mately connected (knowledge is needed for solving problems, and problems are 
the best filter for building up relevant knowledge bases). The dynamic view of 
mathematics is also the natural starting point for symbolic computation, as I will 
explicate in the next section. In fact, one can see symbolic computation as its 
strictest realization, deeply embedded in the overall organism of less constructive 
or “structural” mathematics. 

Within symbolic computation, I will focus on computer algebra in this pre- 
sentation. Strictly speaking, this means that we restrict our interest to algebraic 
structures (domains with functional signatures and equational axioms like rings). 
But this is not a dogmatic distinction, rather a point of emphasis; e.g. fields are 
also counted among the algebraic structures despite their non-equational axiom 
on reciprocals. In some sense computer algebra is the most traditional branch of 
symbolic computation since rewriting functions along equational chains is maybe 
the most natural form of “computation with symbols” . What is more important, 
though, is the axiomatic description of the algebraic structures in use. 
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Judging from our present understanding, it may seem obvious that one should 
proceed in this way. Looking at the historical development, however, we perceive 
a movement of increasing abstraction that has not stopped at the point indicated 
above [9]. We can see four distinct stages in this abstraction process: 

1. Concrete Algebra (Weber, Fricke): Virtually any ring considered was a sub- 
ring of the integers or of the complex polynomials or of some algebraic num- 
ber field (similar for other domains) . Various “identical” results were proved 
separately for different instances. 

2. Abstract Algebra (Noether, van der Waerden): Rings are described by their 
axioms; the classical domains mentioned above are subsumed as examples. 
All the proofs are now done once, within “ring theory” . 

3. Universal Algebra (Graetzer, Cohn): Classes of algebraic structures are con- 
sidered collectively; rings are just one instance of an algebraic structure. 
Results like the homomorphism theorem can be proved for generic algebraic 
structures that specialize to rings, groups, and the like. 

4. Category Theory (MacLane, Eilenberg): Categories are any collection of ob- 
jects (like algebraic or non-algebraic structures) connected through arrows 
(like homomorphisms in algebraic structures). The objects need not have a 
set-theoretic texture (as the carriers of structures have). 

The role of mathematics as reasoning in abstract models becomes very clear 
in the process of algebraization: the mathematical models are now specified pre- 
cisely by way of axioms and we need no longer rely on having the same intuition 
about them. Let me detail this by looking at one of the most fundamental struc- 
tures used in physics - the notion of the continuum, which provides a scale for 
measuring virtually all physical quantities. Its axiomatization as the complete 
ordered field of reals needed centuries of focused mathematical research culmi- 
nating in the categoricity result. Proceeding with computer algebra, we would 
now strip off the topological aspects (the “complete ordered” part) from the 
algebraic ones (the “field” part) and then study its computable subfields (finite 
extensions of the rationals). 

If one models physical quantities by real numbers, analyzing their mutual 
dependence amounts to studying real functions (real analysis), and the natural 
laws governing them are written as differential equations. Their application to 
specific situations is controlled by adjusting some data like various parameters 
and initial/boundary conditions. Since the latter are the most frequent data in 
physical problems [10], boundary value problems (BVPs) will serve as a fitting 
key example in the last section of this presentation. 

3 Algorithmization: The Realization of Computing 

In order to actually “compute” the solution of a problem in an abstract model, 
algebraization alone is not enough. We have already observed this in the above 
example of the continuum: The field of real numbers is regarded as an algebraic 
domain, but it is clearly uncomputable because of its uncountable carrier. In 
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view of these facts, Buchberger [7, 3, 5] has defined symbolic computation (in par- 
ticular: computer algebra) as that part of algorithmic mathematics (in particular: 
algorithmic algebra) which solves problems stated in non-algorithmic domains 
by translating them into isomorphic algorithmic representations. 

Let us look at three immediate examples: 

1. The traditional definition of polynomials introduces them as certain (infi- 
nite!) congruence classes over some term algebra in the variety of unital com- 
mutative rings [13]. The modern definition starts from a monoid ring [12], 
which turns out to be an isomorphic translation of the former, basically 
encoding the canonical representatives of the congruence classes. 

2. As another example, consider the cardinal question of ideal membership in 
algebraic geometry: As infinite sets, ideals cannot directly be treated by 
algorithmic methods; representing them via Grdbner bases allows a Unitary 
description and a solution of the ideal membership problem [1,2,6]. 

3. Finally, let us consider an example from a traditional domain of symbolic 
computation that does not belong to computer algebra, namely automated 
theorem proving. It is based on translating the non-algorithmic (semantic) 
concept of consequence into the algorithmic (syntactic) concept of deducibil- 
ity, the isomorphism being guaranteed by Godel’s Gompleteness Theorem. 

Returning to the example of boundary value problems introduced above, we 
should also note that there are actually two famous approaches for algorith- 
mization: symbolic computation takes the path through algebraization, whereas 
numerical computation goes through approximation. Simplifying matters a bit, 
we could say that symbolic computation hunts down the algebraic structure 
of the continuum, numerical computation its topological structure^. But while 
industrial mathematics is virtually flooded with numerical solvers (mostly of 
finite-element type), it is strange to notice that computer algebra systems like 
Maple or Mathematica do not provide any command for attacking those BVPs 
that have a symbolic solution. My own research on symbolic functional analysis 
can be seen as an endeavor to change this situation. 



4 Symbolic Functional Analysis: 

Conquering a New Territory for Computing 

I will now sketch my own contribution to the exciting process of conquering more 
and more territory through algebraization and algorithmization. As mentioned 
before, it deals with certain boundary value problems. More precisely, we are 

^ The ideal algorithmic approach to problem solving would be to combine the best 
parts of both symbolic and numerical computation, which is the overall objective 
of a 10-year special research project (SFB) at Johannes Kepler University. My own 
research there takes place in the subproject [17] on symbolic functional analysis; for 
some details, see the next section. 




The Algorithmization of Physics: Math Between Science and Engineering 



5 



given a function / in 1] say^, and we want to find a solution u in C°°[0, 1] 

such that 



Tu = f, 

BqU — Wq, ■ ■ ■ j B^—\U — Un—i . 



( 1 ) 



Here T is a linear differential operator like T = D'^—2e^ D+1 and Bq, . . . , B^-i 

are boundary operators like u tt'(O) — 2^(1), whose number n should coincide 
with the order of T . Furthermore, we require the boundary conditions to be such 
that the solution u exists and is unique for every choice of /; in other words, we 
consider only regular BVPs. 

In my own understanding, BVPs are the prototype for a new kind of problem 
in symbolic computation: Whereas “computer algebra” focuses on algorithmi- 
cally solving for numbers (typical example: Grobner bases for triangularizing 
polynomial systems) and “computer analysis” does the same for functions (typ- 
ical example: differential algebra for solving differential equations), the proper 
realm of “computer operator-theory” or symbolic functional analyis would be 
solving for operators. See [17] for more details on this three-floor conception of 
the algebraic part of symbolic computation. 

Why are BVPs an instance of solving for operators! The reason is that the 
forcing function / in (1) is understood as a symbolic parameter: One wants to 
have the solution m as a term that contains / as a free variable. In other words, 
one needs an operator G that maps any given / to u. For making this explicit, 
let us rewrite the traditional formulation (1) as 

TG= 1, 

(2) 

BoG = 0,...,H„_iG = 0 . 



Here 1 and 0 denote the identity and zero operator, respectively. Note also that I 
have passed to homogeneous boundary conditions (it is always possible to reduce 
a fully inhomogeneous problem to such a semi-inhomogeneous one) . 

The crucial idea of my solution method for (2) is to model the above op- 
erators as noncommutative polynomials and to extract their algebraically rel- 
evant properties into a collection of identities. For details, please refer to my 
PhD thesis [14]; see also [16,15]. The outcome ot this strategical plan is the 
noncommutative polynomial ring <C{{D,A,B,L,R} U {["/]]/ G 1?^}) together 
with a collection of 36 polynomial equalities. The indeterminates D, A, B, L, R 
and [/] stand for differentiation, integral, cointegral, left boundary value, right 
boundary value and the multiplication operator induced by /; here / may range 
over any so-called analytic algebra (a natural extension of a differential algebra), 
e.g. the exponential polynomials. The 36 polynomial identities express proper- 
ties like the product rule of differentiation, the fundamental theorem of calculus, 
and integration by parts. 

^ The smoothness conditions can be dispensed with by passing to distributions on 
[0, 1]. Of course one can also choose an arbitrary finite interval [a, fe] instead of the 
unit interval. See [15] for details. 
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I have proved that the 36 polynomials on the left-hand side of the respective 
identities actually constitute a non-commutative Grobner basis with terminating 
reduction (a fact that is not guaranteed in the noncommutative case, in partic- 
ular not if one deals with infinitely many polynomials like the multiplication 
operator [ /] above) . Since I have retrieved a generic formula for G, the result- 
ing polynomial has just to be normalized with respect to this Grobner basis; the 
corresponding normal form turns out to be the classical Green’s operator with 
the Green’s function as its kernel - a well-known picture for every physicist! 

As a conclusion, let me briefly reflect on the solution scheme sketched above. 
First of all, we observe the algebraization involved in transforming the topological 
concepts of differentiation and integration into fitting algebraic counterparts; the 
creation of (D({D, A, i?, A, i?} U {|"/]|/ G 1?^}) can also be seen as an instance 
of math-internal modeling in the sense described in the first section. Second we 
note the crucial role of noncommutative Grobner bases in providing the classical 
Green’s operator G: without a confluent and noetherian system of identities the 
search for normal forms would not be an algorithmic process. Third we may also 
notice the advantage of working purely on the level of operators, as opposed to 
traditional solution methods on the function level that use costly determinant 
computations; see e.g. page 189 in [11]. 

Finally, let me point out that solving BVPs in this way could be the first 
step into a new territory for symbolic computation that we have baptized “sym- 
bolic functional analysis” in [17]. Its common feature would be the algorithmic 
study (and inversion) of some crucial operators occurring in functional analy- 
sis; its main tool would be noncommutative polynomials. Besides more general 
BVPs (PDFs rather than ODEs, nonlinear rather than linear, systems of equa- 
tions rather than single equations, etc), some potentially interesting problems 
could be: single layer potentials, exterior Dirichlet problems, inverse problems 
like the backwards heat equation, computation of principal symbols, eigenvalue 
problems. 
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1 Introduction 

Universal algebra has underpinned the modern research in formal logic since Gar- 
rett Birkoff’s pioneering work in the 1930’s and 1940’s. Since the early 1970’s, 
the entanglement of logic and algebra has been successfully exploited in many ar- 
eas of computer science from the theory of computation to Artificial Intelligence 

(AI). 

The scientific outcome of the interplay between logic and universal algebra 
in computer science is rich and vast (cf. [2]). In this presentation I shall discuss 
some applications of universal algebra in AI with an emphasis on Knowledge 
Representation and Reasoning (KRR). 

A brief survey, such as this, of possible ways in which the universal algebra 
theory could be employed in research on KRR systems, has to be necessarily in- 
complete. It is primarily for this reason that I shall concentrate almost exclusively 
on propositional KRR systems. But there are other reasons too. The outburst of 
research activities on stochastic local search for propositional satisfiability that 
followed the seminal paper A New Method for Solving Hard Satisfiability Prob- 
lems by Selman, Levesque, and Mitchel (cf. [11]), provides some evidence that 
propositional techniques could be surprisingly effective in finding solutions to 
‘realistic’ instances of hard problems. 

2 Propositional KRR Systems 

One of the main objectives of Knowledge Representation is the development 
of adequate and, preferably, tractable formal representational frameworks for 
modeling intelligent behaviors of AI agents. 

In symbolic approach to knowledge representation, a KRR system consists of 
at least a formal knowledge representational language C and of an inference op- 
eration h on Such a system may involve additional operations and relations 
besides h (such as plan generation and evaluation, belief revision, or diagno- 
sis); for some domains, some of these additional operations can be defined or 
implemented in terms of ‘basic’ logical operations: logical inference, consistency 
verification, and satisfiability checking. Representing reasoning tasks as instances 
of logical inference, consistency, and satisfiability problems is discussed below. 
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Syntax. In the propositional case, a representational language £, defined by 
a set of propositional variables V ar and logical connectives /o, . . . , can be 
viewed as a term algebra (or Lindenhaum’s algebra of formulas) 

{Terms{Var),fo,---,fn), 

generated by Var, where TermsfVar) denotes the set of all well-formed formu- 
las of C. Syntactically richer languages can be adequately modeled using, for 
instance, partial and many-sorted term algebras. 

Inference Systems. Given a propositional language £, a relation h between 
sets of formulas of C and formulas of C is called an inference operationon on £, 
if for every set X of formulas: 

(cl) X C C{X) (inclusion)] 

(c2) C(C{X)) C C(X) (idempotence)] 

where C(X) = {j3 \ X \- j3}. An inference system on £ is a pair (£, b), where 
h is an inference operation on C. Further conditions on h can be imposed: for 
every X,Y C Terms(Var), 

(c3) X CY C C(X) implies C(X) = C(Y) (cumulativity); 

(c4) X CY implies C(X) C C(Y) (monotonicity)] 

(c5) for every endomorphism e of £, e(C(X)) C C(e(X)) (structurality) . 

Every inference system satisfying (cl)-(c5) is called a propositional logic. Since 
Tarski’s axiomatization of the concept of a consequence operation in formalized 
languages, algebraic properties of monotonic and non-monotonic inference oper- 
ations have been extensively studied in the literature, (cf. [1,10,13,16]). 

Matrix Semantics. The central idea behind classical matrix semantics is to 
view algebras similar to a language C as models of C. Interpretations of formulas 
of C in an algebra A similar to C are homomorphisms of C into A. When A is 
augmented with a subset d of the universe of A, the resulting structure 

M = (A,d), 

called a logical matrix for C, determines the inference operation \~m defined in 
the following way: for every set X U {a} of formulas of C, 

X \-M a iff for every homomorphism h of C into A, if h(X) C d then h(a) € d. 

The research on logical matrices has been strongly influenced by universal alge- 
bra and model theory. Wojcicki’s monograph [16] contains a detailed account of 
the development of matrix semantics since its inception in the early 20th century. 
In AI, matrix semantics (and a closely related discipline of many- valued logics) 
has been successfully exploited in the areas of Automated Reasoning, KRR, and 
Logic Programming (cf. [3,4,5,6,9,13,15]). 
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Monotone Calculi. The inference opeartion I~m defined by a logical matrix 
A4 satisfies not only (cl)-(c3) but also (c4) and (c5). Furthermore, for every 
propositional calculus (£, h) there exists a class /C of logical matrices for £ such 
that h= At G JC}. 

Beyond Structurality: Admissible Valuations. One way of extending ma- 
trix semantics to cover non-structural inference systems is to define the semantic 
entailment in terms of ‘admissible interpretations’, i.e., to consider generalized 
matrices of the form (A,d,H), where A and d are as above, and is a subset 
of the set of all interpretations of £ into A. In this semantic framework, every 
inference operation that satisfies (cl)-(c4) can be defined by a class of gener- 
alized matrices. A similar approach of admitting only some interpretations to 
model non-structural nonmonotonic inference systems has been also developed 
for preferential model semantics (cf. [7]). 

Beyond Monotonicity: Preferential Matrices The notion of cumulativ- 
ity arose as a result of the search for desired and natural formal properties of 
nonmonotonic inference systems. A desired ‘degree’ of nonmonotonicity can be 
semantically modeled in terms of logical matrices of the form A4 = {A, V, H, ^), 
where A and Ti. are as in a generalized matrix, I? is a family of subsets of the uni- 
verse of A, and ^ is a binary (preference) relation on T>. The inference operation 
\~M is defined as follows: 

X h;vi o iff for every h G 7i and every d G I?, if d is a minimal element of T> 
(with respect to such that h{X) C d, then h{a) G d. 

Preferential matrices have the same semantic scope as preferential model struc- 
tures (cf. [8,14]). 

Logical Matrices with Completion. It is not essential to interpret the under- 
lying algebra A of a logical matrix M for a language £ as a space of truth- values 
for the formulas of £. The elements of A can be interpreted as propositions, 
events, and even infons of the Situation Theory of Barwise and Perry. If one 
views subsets of the universe of A as situations (partial or complete), then pref- 
erential matrices can be replaced by structures of the form M = {A,Hff) called 
matrices with completion, where A, and H are as above and ^ is a function that 

maps 2 ^X\ into 2 ^X\ such that for every B C |A|, B C B = B. In the language of 
universal algebra, ^ is a closure operator on A. This operation can be thought 
of as a completion function that assigns an actual and complete situation B to 
a (possibly partial) situation B which is a part of B. The inference operation 
\~M associated with such a matrix is defined as follows: for every set X U {a} of 
formulas, 

X \~M Oi i/f for every h GH, h{a) G h{X). 

Matrices with completion can be used to semantically model cumulativity with- 
out any explicit reference to preference. 
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Beyond Matrix Semantics. The interplay between logic and universal algebra 
goes far beyond Matrix Semantics; a wealth of results harvested in disciplines 
such as type theory, term rewriting, algebraic logic, or fuzzy logic, and subjects 
such as bilattices, dynamic logics, or unification, have had and will continue to 
have a significant impact on AI research. 

3 Problem Solving as Consistency Verification 

Automated Reasoning deals with the development and application of computer 
programs to perform a variety of reasoning tasks frequently represented as in- 
stances of consistency verification problem. 

Refutational Principle. Refutational theorem proving methods, such as reso- 
lution, rely on a correspondence between valid inferences and finite inconsistent 
sets. The refutational principle for an inference system V = (£, h) states that 
there is an algorithm that transformes every finite set X U {a} of formulas into 
another finite set of formulas in such a way that 

(ref) X \- a iff X a is inconsistent in V (i.e., for every formula P,Xa b (3)- 

In the light of (ref), a refutational automated reasoning system answers a query 
X \- a hy determining the consistency status of Xa- 

Resolution Algebras. Let £ = {Terms{Var), fo, . . . , fn) be a propositional 
language (let us assume that the disjunction, denoted by V, is among the con- 
nectives of £). A resolution algebra for £ is a finite algebra of the form 

Rs = {{{vo,...,Vk},fo,---,fn),iF) 

where: {uq, ■ . ■ , ffe} is a set of formulas of £ called verifiers, for every i < n, fi 
and the corresponding connective fi are of the same arity, and IF is a subset of 
V. Rs defines two types of inference rules. The resolution rule 

ao{p),...,ak{p) 
ao{p/vo) V ... V ak{p/vk) 

is the case analysis on truth of a common variable p expressed using verifiers. 
The other inference rules are the simplification rules defined by the operations 
fo, ■ ■ ■ T fn (see [13]). A set X of formulas is refutable in Rs if and only if one of 
the verifiers from IF can be derived from X using the inference rules defined by 
Rs. 

Resolution Logics. A propositional logic V = {£, b) is said to be a resolu- 
tion logic if there exists a resolution algebra Rs such that for every finite set X 
of formulas (which do not share variables with the verifiers). 



X is inconsistent inV iff X is refutable in Rs. 
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Additional conditions to guarantee the soundness of the refutation process should 
also be imposed (cf. [13]). The class of resolution logics consists of those calculi 
which are indistinguishable on inconsistent sets from logics defined by finite ma- 
trices. Furthermore, resolution algebras for logics defined by finite logical matri- 
ces can be effectively constructed from the defining matrices (cf. [13]). 

Lattices of Resolution Logics. For a logic V = (>C, b), let JC-p denote the 
class of all logics on C which have the same inconsistent sets as V. JCp is a 
bounded lattice under the ordering < defined as follows: if Vi = {£, = 0, 1, 

then Vo < V\ iff V\ is inferentially at least as strong as Vo- The lattice (/C-p, <) is 
a convenient tool to discuss the scope of the resolution method defined in terms 
of resolution algebras: if 7^ is a resolution logic, then so are all the logics in JC-p. 
From the logical standpoint, the systems in ICp can be quite different; from the 
refutational point of view, they can all be defined by the same resolution algebra. 

Nonmonotonic Resolution Logics. Resolution algebras can also be used to 
implement some nonmonotonic inference systems. Let V = (>C,I“) be an arbi- 
trary cumulative inference system. The monotone base of V is the greatest logic 
Vb on C (with respect to <) such that Vb < V. The monotone bases of the 
so-called supraclassical inference systems is classical propositional logic (cf. [8]). 

The consistency preservation property limits the inference power by which V 
and Vb can differ (cf. [8,13]). It states that both V and Vb have to have the same 
inconsistent sets of formulas. Every cumulative, structural, and proper inference 
system satisfies the consistency preservation property. Hence, every such system 
can be provided with a resolution algebra based proof system, provided that its 
monotone base is a resolution logic. 

4 Problem Solving as Satisfiability 

A reasoning task, such as a planning problem, can be solved by, first, expressing 
it as a satisfiability problem in some logical matrix At and, then, by solving it 
using one of the satisfiability solvers for At. In spite of the fact that for many 
finite matrices (Al, d ) , the satisfiability problem: 

(SAT^) for every formula a, determine whether or not there exists an inter- 
pretation h such that h{a) G d 

is NP-complete, a number of complete and incomplete SAT^vi solvers have been 
developed and their good performance in finding solutions to instances of many 
problems in real-world domains empirically demonstrated. 

Searching for Satisfying Interpretation. Given a matrix Ad = (Al, d) for 
a language £, a stochastic local search algorithm for satisfiability in Ad starts 
by generating a random interpretation h restricted to the variables of an input 
formula a. Then, it locally modifies h by selecting a variable p of a, using some 
selection heuristic select-var{a,h), and changing its truth-value from h{p) to 
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some new truth-value using another selection heuristic select-val{a,p,h). Such 
selections of variables and such changes of their truth-values are repeated until 
either h{a) G d or the allocated time to modify h into a satisfying valuation has 
elapsed. The process is repeated (if needed) up to a specified number of times. 

The above procedure defines informally an incomplete SAT_a 4 solver (clearly, 
it cannot be used to determine unsatisfiability of a formula) . 

Polarity and SAT^. The classical notion of polarity of a variable p in a 
formula a{p) captures the monotonic behavior of the term operation fa{p) in- 
duced by a{p) over p in a partially ordered algebra of truth- values. The selection 
heuristics select-var{a, h) and select-val{a,p, h) of an SATx solver can be de- 
fined in terms of polarity. This is done in the non-clausal solver polSAT for 
classical propositional logic as well as in its extensions to finitely-valued logics 
(cf. [12]). 

Improving the Efficiency of Resolution with SAT^ Solvers. An unre- 
stricted use of the resolution rule during the deductive process may very quickly 
result in combinatoric explosion of the set of deduced resolvents making the 
completion of a reasoning task unattainable in an acceptable amount of time. In 
an efficient resolution-based reasoning program the generation of resolvents that 
would evidently have no impact on the completion of a reasoning task must be 
blocked. Tautological resolvents are just that sort of formulas. 

For many resolution logics the tautology problem is coNP-complete. For some 
of these logics, SAT^ solvers can be used to guide the search for refutation so 
that the use of tautologies during the refutation process is unlikely. At the same 
time the refutational completeness of the deductive process is preserved. 
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1 Introduction 

We describe a rather natural proof search algorithm for a certain fragment of 
higher order (simply typed) minimal logic. This fragment is determined by re- 
quiring that every higher order variable V can only occur in a context V x, where 
X are distinct bound variables in the scope of the operator binding V, and of 
opposite polarity. Note that for first order logic this restriction does not mean 
anything, since there are no higher order variables. However, when designing a 
proof search algorithm for first order logic only, one is naturally led into this 
fragment of higher order logic, where the algorithm works as well. 

In doing this we rely heavily on Miller’s [1], who has introduced this type 
of restriction to higher order terms (called patterns by Nipkow [2]), noted its 
relevance for extensions of logic programming, and showed that the unification 
problem for patterns is solvable and admits most general unifiers. The present 
paper was motivated by the desire to use Miller’s approach as a basis for an 
implementation of a simple proof search engine for (first and higher order) min- 
imal logic. This goal prompted us into several simplifications, optimizations and 
extensions, in particular the following. 

— Instead of arbitrarily mixed prefixes we only use those of the form V3V. 
Nipkow in [2] already had presented a version of Miller’s pattern unification 
algorithm for such prefixes, and Miller in [1, Section 9.2] notes that in such 
a situation any two unifiers can be transformed into each other by a variable 
renaming substitution. Here we restrict ourselves to V3V-prefixes throughout, 
i.e., in the proof search algorithm as well. 

~ The order of events in the pattern unification algorithm is changed slightly, 
by postponing the raising step until it is really needed. This avoids unnec- 
essary creation of new higher type variables. - Already Miller noted in [1, 
p.515] that such optimizations are possible. 

— The extensions concern the (strong) existential quantifier, which has been 
left out in Miller’s treatment, and also conjunction. The latter can be avoided 
in principle, but of course is a useful thing to have. 

Moreover, since part of the motivation to write this paper was the necessity to 
have a guide for our implementation, we have paid particular attention to write 
at least the parts of the proofs with algorithmic content as clear and complete 
as possible. 
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The paper is organized as follows. Section 2 defines the pattern unification 
algorithm, and in section 3 its correctness and completeness is proved. Section 4 
presents the proof search algorithm, and again its correctness and completeness 
is proved. The final section 5 contains what we have to say about extensions to 
A and 3. 



2 The Unification Algorithm 

We work in the simply typed A-calculus, with the usual conventions. For instance, 
whenever we write a term we assume that it is correctly typed. Substitutions 
are denoted by tp, ip, p. The result of applying a substitution p to & term t 
or a formula A is written as tp or Ap, with the understanding that after the 
substitution all terms are brought into long normal form. 

Q always denotes a V3V-prefix, say yx3y\/z, with distinct variables. We call 
X the signature variables, y the flexible variables and 2 ; the forbidden variables 
of Q, and write Qa for the existential part 3y of Q. 

Q-temns are inductively defined by the following clauses. 

— If M is a universally quantified variable in Q or a constant, and r are Q-terms, 
then ur is a Q-term. 

— For any flexible variable y and distinct forbidden variables z from Q, yz is 
a Q-term. 

— If r is a QVz-term, then \zr is a Q-term. 

Explicitely, r is a Q-term iff all its free variables are in Q, and for every subterm 
yr of r with y free in r and flexible in Q, the r are distinct variables either 
A-bound in r (such that yr is in the scope of this A) or else forbidden in Q. 
Q-goals and Q-clauses are simultaneously defined by 

— If r are Q-terms, then Pr is a Q-goal as well as a Q-clause. 

— If Z? is a Q-clause and G is a Q-goal, then ZA ^ G is a Q-goal. 

— If G is a Q-goal and ZA is a Q-clause, then G ^ ZA is a Q-dause. 

— If G is a QVx-goal, then VxG is a Q-goal. 

— If D[y := Y z] is a Vx3y, FV 2 ;-clause, then VyZA is a Va;3yV2:-clause. 

Explicitely, a formula A is a Q-goal iff all its free variables are in Q, and for 
every subterm yr of A with y either existentially bound in A (with yr in the 
scope) or else free in A and flexible in Q, the r are distinct variables either A- 
or universally bound in A (such that yr is in the scope) or else free in A and 
forbidden in Q. 

A Q -substitution is a substitution of Q-terms. 

A unification problem U consists of a V3V-prefix Q and a conjunction G of 
equations between Q-terms of the same type, i.e., Vi = Si. We may assume 
that each such equation is of the form Xxr = Xxs with the same x (which may 
be empty) and r, s of ground type. 

A solution to such a unification problem hi is & Q-substitution p such that 
for every i, rip = Sip holds (i.e., rip and Sip have the same normal form). We 
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sometimes write C as r = s, and (for obvious reasons) call it a list of unification 
pairs. 

We now define the unification algorithm. It takes a unification problem hi = 
QC and returns a substitution p and another patter unification problem hi' = 
Q'C . Note that p will be neither a Q-substitution nor a Q^-substitution, but 
will have the property that 

— p is defined on flexible variables of Q only, and its value terms have no free 

occurrences of forbidden variables from Q, 

— if G is a Q-goal, then Gp is a Q'-goal, and 

— whenever ip' is an G'-solution, then (p o (p') is an G-solution. 

To define the unification algorithm, we distinguish cases according to the form 
of the unification problem, and either give the transition done by the algorithm, 
or else state that it fails. 

Case identity, i.e., Q.r = r AC. Then 

Q.r = r AC QC. 

Case i.e., Q.Xx r = Xx sAC. We may assume here that the bound variables 
X are the same on both sides. 

Q.Xx r = Xx s AC Q\/x.r = s A C. 

Case rigid-rigid, i.e., Q.fr = fs AC. 

Q.fr = fs AC Q.r = s AC. 

Case flex-flex with equal heads, i.e., Q.uy = uz AC. 

Q.uy = uz AC =^p Q' .Cp 

with p = [u := Xy.u'w], Q' is Q with 3u replaced by 3u', and w an enumeration 
oi { Vi \ Vi = Zi} (note Xy.u'w = Xz.u'w). 

Case flex-flex with different heads, i.e., Q.uy = vz AC. 

Q.uy = vz AC Q'Cp, 

where p and Q' are defined as follows. Let w be an enumeration of the variables 
both in y and in z. Then p = [u,v := Xy.u'w, Xz.u'w], and Q' is Q with 3u, 
removed and 3u' inserted. 

Case flex-rigid, i.e., Q.uy = t A C with t rigid, i.e., not of the form vz with 
flexible v. 

Subcase occurrence check: t contains (a critical subterm with head) u. Fail. 

Subcase pruning: t contains a subterm vw\zw 2 with in Q, and z free in 
t but not in y. 

Q.uy = t AC =^p Q' .uy = tp A Cp 
where p = [v := Xwx,z,W 2 .v'wxW 2 \, Q' is Q with 3w replaced by 3v' . 
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Subcase pruning impossible: Xyt (after all pruning steps are done still) has a 
free occurrence of a forbidden variable z. Fail. 

Subcase explicit definition: otherwise. 

Q.uy = t f\C =^p Q'Cp 

where p = [u \= Xyt], and Q' is obtained from Q by removing 3u. 

This concludes the definition of the unification algorithm. 

Our next task is to prove that this algorithm indeed has the three properties 
stated above. The first one {p is defined on flexible variables of Q only, and its 
value terms have no free occurrences of forbidden variables from Q) is obvious 
from the definition. We now prove the second one; the third one will be proved 
in the next section. 



Lemma 1. If Q =^p Q' and G is a Q-goal, then Gp is a Q' -goal. 

Proof. We distinguish cases according to the definition of the unification algo- 
rithm. 

Cases identity, ^ and rigid-rigid. Then p = e and the claim is trivial. 

Case flex-flex with equal heads. Then p = [u := Xy.u'w] with w a sublist 
of y, and Q' is Q with 3u replaced by 3u' . Then clearly G[u := Xy.u'w] is a 
Q'-goal (recall that after a substitution we always normalize). 

Case flex-flex with different heads. Then p= [u,v := Xy .u' w , Xz .u' w] with 
w an enumeration of the variables both in y and in z, and Q' is Q with 3u, 
removed and 3u' inserted. Again clearly G[u,v := Xy .u' w , Xz .u' w] is a Q'-goal. 

Case hex-rigid, Subcase pruning: Then p = [v := Xwi, z,W 2 .v'wiW 2 ], and 
Q' is Q with replaced by 3v' . Suppose G is a Q-goal. Then clearly G[v := 
Xwx,z,W 2 .v'wiW 2 ] is a Q'-goal. 

Case hex-rigid. Subcase explicit dehnition: Then p = [u \= Xyt] with a Q- 
term Xyt without free occurrences of forbidden variables, and Q' is obtained 
from Q by removing 3m. Suppose G is a Q-goal. Then clearly G[m := Xyt] form) 
is a Q'-goal. 



Let Q — >p Q' mean that for some G, G' we have QG = 
Q — >* Q' if there are pi, . . . , pn and Qi, . . . , Q„_i such that 



Q'G'. Write 



Q 



Qi 



Qn—l 



Q', 



and p = Pi o ■ • ■ o pn 



Corollary 1. If Q — >* Q' and G is a Q-goal, then Gp is a Q'-goal. 

3 Correctness and Completeness 
of the Unification Algorithm 

Lemma 2. Let a unification problem U consisting of a y3\/-prefix Q and a list 
r = s of unification pairs be given. Then either 
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— the unification algorithm makes a transition U =^p W , and 

: U' -solutions U -solutions 

if' ^ 

is well-defined and we have <h: U -solutions W -solutions such that <P' is 
inverse to <P, i.e. = ip, or else 

— the unification algorithm fails, and there is no lA-solution. 

Proof. Case identity, i.e., Q.r = r AC QC. Let ^ be the identity. 

Case i.e., Q.Xxr = Xx s A C Qix.r = s AC. Let again d> be the 

identity. 

Case rigid-rigid, i.e., Q.fr = fs A C Q.r = s A C. Let again (p be the 
identity. 

Case flex-flex with equal heads, i.e., Q.uy = uz A C =^p Q'.Cp with p = 
[u := Xy.u'w], Q' is Q with 3 m replaced by 3 m', and w an enumeration of those 
Di which are identical to Zi (i.e., the variable at the same position in z). Notice 
that Xy.u'w = Xz.u'w. 

1. <P' is well-deflned: Let (p' be a f^'-solution, i.e., assume that Cpp' holds. 
We must show that p := {p o p')\Q^ is a f^-solution. 

For uy = uz: We must show (up)y = {up)z. But up = upp' = {Xy .u' w)p' . 
Hence {up)y = (up)z by the construction of w. 

For (r = s) G C: We need to show (r = s)p. But by assumption (r = s)pp' 
holds, and r = s has all its flexible variables from Q^. 

2. Definition of f^-solutions ^ f^'-solutions. Let a Q-substitution p be 
given such that {uy = uz)p and Cp. Deflne u'{<Pp) := Xw.{up)wO (w.l.o.g), 
and v{d>p) := v for every other variable v in Q^. 

d>p =: p' is a f^'-solution: Let (r = s) G C. Then (r = s')p by assumption, 
for 1 ^ is a Q-substitution such that Cp holds. We must show 

(r = s)pp' . 

Notice that our assumption {up)y = {up)z implies that the normal form of both 
sides can only contain the variables in w. Therefore 

upp' = (Xy.u'w)p' 

= Xy .{Xw .{up)wO)w 
= Xy .{up)wO 
= Ay.(M(/?)y 
= up 

and hence (r = s)pp' . 

3. <P'{(l>p) = p: So let p be an f^-solution, and p' := <Pp. Then 

u{<P'p') = u{{pop')\Q^) 

= upp' 

= up, as proved in 2. 
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For every other variable v in Qa we obtain 

v{<P'ip') = v{{po(p')\Q^) 

= vpip' 

= VLp' 

= V(p. 

Case flex-flex with different heads, i.e., U is Q.uy = vzAC. Let w be an enu- 
meration of the variables both in y and in z. Then p = [u,v := Xy.u'w, Xz.u'w], 
Q' is Q with 3u, 3v removed and 3u' inserted, and W = Q'Cp. 

1. <P' is well-defined: Let ip' be a f^'-solution, i.e., assume that Cpip' holds. 
We must show that p := {po p')\Q^ is a f^-solution. 

For uy = vz\ We need to show {up)y = (yp)z. But {up)y = {upp')y = 
{Xy .{u' tp')w)y = {u'ip')w, and similarly {v(f)z = (u'ip')w. 

For (r = s) S C: We need to show (r = s)ip. But since u' is a new variable, 
ip and pop' coincide on all variables free in r = s, and we have (r = s)pp' by 
assumption. 

2. Definition of f^-solutions ^ f^'-solutions. Let a Q-substitution p be 
given such that (uy = vz)p and Cp. Define 

u'(<Pp) := Xw .(up)wO w.l.o.g.; 0 arbitrary 
v'(<Pp) := Xw .(vp)0w 

w(<Pp) := wp otherwise, i.e., w ^ u' ,v' flexible. 

Since by assumption (up)y = (vp)z, the normal forms of both (up)y and (vp)z 
can only contain the common variables w from y, 2 : free. Hence, for p' := (pp, 
upp' = up by the argument in the previous case, and similarly vpp' = up. Since 
rp = sp ((r = s) € C arbitrary) by assumption, and p only affects u and v, 
we obtain rpp' = spp' , as required. <P'((pp) = p can now be proved as in the 
previous case. 

Case flex-rigid, U is Q.uy = t AC. 

Subcase occurrence check: t contains (a critical subterm with head) u. Then 
clearly there is no Q-substitution p such that (up)y = tp. 

Subcase pruning: Here t contains a subterm vwizw 2 with 3v in Q, and z 
free in t. Then p = [v := Xwi,z,W 2 .v'wxW 2 ], Q' is Q with replaced by 3v' , 
and W = Q' .uy = tp A Cp. 

1. <P' is well-defined: Let p' be a f^'-golution, i.e., (up')y = tpp' , and rpp' = 
spp' for (r = s) G C. We must show that p := (po p') fQa is a f^-solution. 

For uy = t\ We need to show (up)y = tpp' . But 

(up)y = (upp')y 

= (up')y since p does not touch u 
= tpp' by assumption. 

For (r = s) G C: We need to show (r = s)p. But since v' is a new variable, 
p = (p o p')\Q^ and pop' coincide on all variables free in r = s, and the claim 
follows from (r = s)pp' . 
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2 . Definition of Z^-solutions ^ Z^'-solutions. For a Z^-solution Lp define 
v'{<P(f) := Xwi,w2-{v(p)wi0w2 

w{<Pip) := wip otherwise, i.e., w ^ v',v flexible. 

Since by assumption {u(p)y = tip, the normal form of tp cannot contain z free. 
Therefore, for p' := <Pp, 

vpp' = {Xwi, Z,W2-v'wiW2)p' 

= Xwi,Z, W2-{Xwi,W2.{vp)wi{)W2)wiW2 
= Xwx,Z,W 2 -{vp)wxQW 2 
= Xw\, Z,W2-{vp)wiZW2 
= vp. 

Hence p' = <Pp satisfies (up')y = tpp' . For r = s this follows by the same 
argument. <P\(pp) = p can again be proved as in the previous case. 

Subcase pruning impossible: Then Xyt has an occurrence of a universally 
quantified (i.e., forbidden) variable z. Therefore clearly there is no Q-substitution 
p such that {up)y = tp. 

Subcase explicit definition. Then p = [u := Xyt], Q' is obtained from Q by 
removing 3m, and W = Q'Cp. Note that p is a Q'-substitution, for we have 
performed the pruning steps. 

1 . <!>' is well-defined: Let p' be a ZY'-solution, i.e., rpp' = spp' for (r = s) G C. 
We must show that p := {p o p')\Q^ is an Z^-solution. 

For uy = t\ We need to show {upp')y = tpp' . But 

{upp')y = {{Xyt)p')y 
= tp' 

= tpp' since u does not appear in t. 

For (r = s) G C: We need to show (r = s)p. But this clearly follows from 
(r = s)pp' . 

2 . Definition of \ Z^-solutions — > ZY'-solutions, and proof of <P'{<Pp) = p. For 
a Z^-solution p define <Pp = p\Qb. Then 

upp' = Xytp = Xytp = up, 

and clearly vpp' = vp for all other flexible p. For (r = s) G C, from rp = sp we 
easily obtain rp' = sp' . 

It is not hard to see that the unification algorithm terminates, by defining a 
measure that decreases with each transition. 

Corollary 2 . Given a unification problem U = QC, the unification algorithm 
either returns fff, and there is no U-solution, or else returns a pair {Q',p) 
with a “transition” substitution p and a prefix Q' (i.e., a unification problem W 
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with no unification pairs) such that for any Q' -substitution Lp' , {po ip')\Q^ is an 
U-solution, and every U-solution can he obtained in this way. Since the empty 
substitution is a Q' -substitution, p\Q^ is an U-solution, which is most general 
in the sense stated. 

unif((5, r = s) denotes the result of the unification algorithm atU = Qr = s. 

4 Proof Search 

A Q-sequent has the form V ^ G, where V \s & list of Q-clauses and G is a 
Q-goal. 

We write M\P] to indicate that all assumption variables in the derivation M 
concern clauses in V. 

Write h" S for a set S of sequents if there are derivations [Pi] in long 
normal form for all {Vi Gi) £ S such that '^ffMi < n. Let h<" S mean 
3m<n h'" S. 

We now prove correctness and completeness of the proof search procedure: 
correctness is the if-part of the two lemmata to follow, and completeness the 
only-if-part. 

Lemma 3. Let Q he a yJi -prefix, {V ^x.D — > A} U S' Q-sequents with x, D 
not both empty. Then we have for every substitution tp: 

p is a Q -substitution such that h" (^{V \/x.D — > A} U S)v3 

if and only if 

p is a Qix- substitution such that {{V U D ^ A} U S)p. 

Proof. “If”. Let phe a QVa;-substitution and h<” ({7^ U D => A}U S)p. So we 
have 

N^‘^[DpUVp]. 

Since is a QVa:-substitution, no variable in x can be free in Vp, or free in yp 
for some y £ dom(i^). Hence 

:= XxXu^^N 



is a correct derivation. 

“Only if”. Let phe a Q-substitution and h” ({7^ \/x.D A} US)v3. This 

means we have a derivation (in long normal form) 

= XxXu^^.N^^^lDpUVp]. 

Now ffN < ffM, hence (^{V U D A} U S)(/?, and p clearly is a QWx- 
substitution. 
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Lemma 4. Let Q he a -prefix, {V ^ Pr} U S Q-sequents and (p a substitu- 
tion. Then 

(f is a Q- substitution such that h” (^{V Pr} U S)(p 

if and only if there is a clause Vx.G ^ Ps in V such that the following holds. 
Let z he the final universal variables in Q, x be new (“raised”) variables such 
that XiZ has the same type as Xi, let Q* be Q with the existential variables 
extended by x, and let * indicate the substitution [x\, . . . ,Xn := X\Z, . . . , Xnz]. 
Then unif(Q*,r = s*) = {Q' , p) and there is a Q' -substitution p' such that 
h<" {{V ^ G*} U S)pip', and p={po p') 

Proof. “If”. Let unif(Q*,r = s*) = (Q',p), and assume that ip' is a Q'-substitu- 
tion such that Ni \- (V ^ G*)pp'. Let p -.= {p o p')\Q^. From und{Q*,r = 
s*) = (Q',p) we know rp = s*p, hence rp = s* pp' . Then 

^('i^.G^Ps)v (^(xpp')z) 
derives Ps* pp' (i.e., Prp) from Vp. 

“Only if”. Assume p is a, Q-substitution such that \~ {V ^ Pr)p, say by 
uO^-G^Ps)vt]\]'iGv)lx.=t] ^ with Wx.G Ps a clause in V, and with additional 
assumptions from Vp in TV. Then rp = (sp)[x := t]. Since we can assume that 
the variables x are new and in particular not range variables of p, with 

§ := p \J [x := t] 

we have rp = s§. Let 2 : be the final universal variables in Q, x be new (“raised”) 
variables such that XiZ has the same type as Xi, let Q* be Q with the existential 
variables extended by x, and for terms and formulas let * indicate the substitu- 
tion [xi,. . . ,Xn := X\z , . . . , Xnz\. Moreover, let 

D* :=p\J [Xi,...,Xn := Xz.ti, . . . , Xz.tn]. 

Then r-d* = rp = 81 ?= s*-d*, i.e., D* is a solution to the unification problem 
given by Q* and r = s. Hence by Lemma 2 unif(Q*, r = s*) = (Q^ p) and there 
is a Q'-substitution p' such that il* = {po p') hence p = {po p') Also, 
{Gp)[x := t] = G§= = Gpp'. 

A state is a pair {Q, S) with Q a prefix and S a finite set of Q-sequents. By 
the two lemmas just proved we have state transitions 

(Q, {V ^ yx.D ^A}US) {QVx, {VUD^AjuS) 

(Q, {V Pr} U 5) (Q', {{V =P G*} U S)p), 

where in the latter case there is a clause Vx.G Ps in V such that the following 
holds. Let 2 be the final universal variables in Q, a; be new (“raised”) variables 
such that XiZ has the same type as Xi, let Q* be Q with the existential variables 
extended by x, and let * indicate the substitution [xi, . . . ,Xn ■= Xiz , . . . , A„ 2 ], 
and unif(Q*,r = s*) = (Q',p). 

Notice that by Lemma 1, if 7^ Pr is a Q-sequent (which means that 
/^V ^ Pr is a Q-goal), then {V ^ G*)p is a Q'-sequent. 
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Theorem 1. Let Q be a prefix, and S be a set of Q-sequents. For every substi- 
tution ip we have: ip is a Q -substitution satisfying h Sip iff there is a prefix Q' , 
a substitution p and a Q' -substitution ip' such that 

{Q,S) (Q',0), 

ip = {pop')\Q^. 

Examples. 1. The sequent yyiizRyz Q,yyi,y 2 Ryiy 2 Q leads first to 
Vyi, y 2 Ryiy 2 Ryz under 3yV2, then to yi = y Ay 2 = z under 3y\/z3yi,y2, and 
finally to Yiz = y FY 2 Z = z under 3y, Yi,Yfiz, which has the solution Yi = Xzy, 
Y 2 = \zz. 

2. \/y.\/zRyz Qj^yiRyiyi Q leads first to \/yilRyiyi Ryz under 
3y\/z, then to yi = y A yi = z under 3y\/z3yi, and finally to Yiz = y A Yiz = z 
under 3y, YiVz, which has no solution. 

3. Here is a more complex example (derived from proofs of the Orevkov- 
formulas), for which we only give the derivation tree. 

Vz6'0z^-L (*) Rzzi 

SQzx 
_L 

tJy.ifJziRyzi^l.)^!. Rzzi^F 

(Vzii?zzi^_L)^_L t/ziRzzi^l. 

I 

yy.ifizRyz^r)^!. RQz-^F 

(Vzi?0z^_L)^_L Vzi?0z^_L 

I 



where (*) is a derivation from Hypi : Vz, zi.i?0z ^ Rzz\ S'Ozi. 

5 Extension by A and 3 

The extension by conjunction is rather easy; it is even superfluous in princi- 
ple, since conjunctions can always be avoided at the expense of having lists of 
formulas instead of single formulas. 

However, having conjunctions available is clearly useful at times, so let’s add 
it. This requires the notion of an elaboration path for a formula (cf. [1]). The 
reason is that the property of a formula to have a unique atom as its head is 
lost when conjunctions are present. An elaboration path is meant to give the 
directions (left or right) to go when we encounter a conjunction as a strictly 
positive subformula. For example, the elaboration paths of tJxA A {B A C ^ 
D AVyE) are (left), (right, left) and (right, right). Clearly, a formula is 
equivalent to the conjunction (over all elaboration paths) of all formulas obtained 
from it by following an elaboration path (i.e., always throwing away the other 
part of the conjunction). In our example, 

WxA A{B AC ^ D A WyE) ^ \fxA A {B A C ^ D) A {B A C ^ WyE). 




Proof Search in Minimal Logic 



25 



In this way we regain the property of a formula to have a unique head, and our 
previous search procedure continues to work. 

For the existential quantifier 3 the problem is of a different nature. We chose 
to introduce 3 by means of axiom schemata. Then the problem is which of such 
schemes to use in proof search, given a goal G and a set V of clauses. We might 
proceed as follows. 

List all prime, positive and negative existential subformulas oiV=>G, and 
remove any formula from those lists which is of the form of another one^. For 
every positive existential formula - say 3xB ~ add (the generalization of) the 
existence introduction scheme 



B • 3xB 

to V ■ Moreover, for every negative existential formula - say BxA - and every 
(prime or existential) formula C in any of those two lists, exept the formula 3xA 
itself, add (the generalization of) the existence elimination scheme 

c ■■ ^xA {Vx.A ^G)^C 

to V. Then start the search algorithm as described in section 4. The normal 
form theorem for the natural deduction system of minimal logic with 3 then 
guarantees completeness. 

However, experience has shown that this complete search procedure tends to 
be trapped in too large a search space. Therefore in our actual implementation we 
decided to only take instances of the existence elimination scheme with existential 
conclusions. 



Acknowledgements 

I have benefitted from a presentation of Miller’s [1] given by Ulrich Berger, in a 
logic seminar in Miinchen in June 1991. 



References 

1. Dale Miller. A logic programming language with lambda-abstraction, function vari- 
ables and simple unification. Journal of Logic and Computation, 2(4):497-536, 1991. 

2. Tobias Nipkow. Higher-order critical pairs. In R. Vemuri, editor, Proceedings of the 
Sixth Annual IEEE Symposium on Logic in Computer Science, pages 342-349, Los 
Alamitos, 1991. IEEE Computer Society Press. 



^ To do this, for patterns the dual of the theory of “most general unifiers”, i.e., a 
theory of “most special generalizations”, needs to be developed. 




Planning and Patching Proof* 



Alan Bundy 

School of Informatics, University of Edinburgh 
3.09 Appleton Tower, 11 Crichton Street, Edinburgh, EH8 9LE, UK 
A . Bundy@ed .ac.uk 



Abstract. We describe proof planning: a technique for both describing 
the hierarchical structure of proofs and then using this structure to guide 
proof attempts. When such a proof attempt fails, these failures can be 
analyzed and a patch formulated and applied. We also describe rippling: 
a powerful proof method used in proof planning. We pose and answer a 
number of common questions about proof planning and rippling. 



1 Introduction 

The Program Committee Chair of AiSC-04 suggested that the published version 
of my talk might be: 

“ ... a short paper telling our audience what are the highlights of the 
publication landscape for the subject of your presentation, what they 
should read if they want to become better informed by systematic read- 
ing, and why they should read the cited material (i.e. why it represents 
the highlights), could have both immediate use and longer-term educa- 
tional use for people who don’t attend the conference but buy or read 
the proceedings later.” 

Below I have attempted to fulfill this brief. I have organized the paper as a 
‘Frequently Asked Questions’ about proof planning, in general, and rippling, in 
particular. 

2 Proof Planning 

2.1 Introduction 

What Is Proof Planning? Proof planning is a technique for guiding the search 
for a proof in automated theorem proving. A proof plan is an outline or plan 
of a proof. To prove a conjecture, proof planning constructs a proof plan for a 
proof and uses it to guide the construction of the proof itself. Proof planning 
reduces the amount of search and curbs the combinatorial explosion. It also helps 
pinpoint the cause of any proof attempt failure, suggesting a patch to facilitate 
a renewed attempt. 

* The research reported in this paper was supported by EPSRC grant GR/S01771. 



B. Buchberger and J.A. Campbell (Eds.): AISC 2004, LNAI 3249, pp. 26—37, 2004. 
@ Springer- Verlag Berlin Heidelberg 2004 
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Common patterns in proofs are identified and represented in computational 
form as general-purpose tactics, i.e. programs for directing the proof search 
process. These tactics are then formally specified with methods using a meta- 
language. Standard patterns of proof failure and appropriate patches to the 
failed proofs attempts are represented as critics. To form a proof plan for a 
conjecture the proof planner reasons with these methods and critics. The proof 
plan consists of a customized tactic for the conjecture, whose primitive actions 
are the general-purpose tactics. This customized tactic directs the search of a 
tactic-based theorem prover. 

For a general, informal introduction to proof planning see [Bundy, 1991]. 
Proof planning was first introduced in [Bundy, 1988]. An earlier piece of 
work that led to the development of proof planning was the use of meta-level in- 
ference to guide equation solving, implemented in the Press system (see 
[Sterling et al, 1989]). 

Has Proof Planning Been Implemented? Yes, in the Oyster/ Clam system 
[Bundy et al, 1990] and XClam system at Edinburgh and the Omega system at 
Saarbriicken [Benzmiiller et al, 1997]. Clam and XClam are the proof planners. 
They constructs a customized tactic for a conjecture and then a proof checker, 
such as Oyster, executes the tactic. 

In principle. Clam could be interfaced to any tactic-based theorem prover. To 
test this assertion, we interfaced Clam to the Cambridge HOL theorem prover 
[Boulton et al, 1998]. We are currently building a proof planner, called IsaPlan- 
ner, in Isabelle [Dixon & Fleuriot, 2003]. 



How Has Proof Planning Been Evaluated? One of the main domains 
of application has been in inductive reasoning [Bundy, 2001], with applications 
to software and hardware verification, synthesis and transformation, but it has 
also been applied to co-induction [Dennis et al, 2000], limit theorems, diagonal- 
ization arguments, transfinite ordinals, summing series, equational reasoning, 
meta-logical reasoning, algebra, etc. A survey of such applications can be found 
in chapter 5 of [Bundy et al, 2005]. 



Can Proof Planning Be Applied to Non-mathematical Domains? Yes. 
We have had some success applying proof planning to game playing (Bridge 
[Frank et al, 1992, Frank & Basin, 1998] and Go [Willmott et al, 2001]) and to 
configuration problems [Lowe et al, 1998]. It is potentially applicable wherever 
there are common patterns of reasoning. Proof planning can be used to match 
the problem to the reasoning method in a process of meta-level reasoning. Proof 
planning gives a clean separation between the factual and search control infor- 
mation, which facilitates their independent modification. 



What Is the Relation Between Proof Planning and Rippling? Rippling 
is a key method in our proof plans for induction. It is also useful in non-inductive 
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domains. However, you can certainly envisage a proof planning system which did 
not contain a rippling method (the Saarbriicken Omega system, for instance) and 
you can envisage using rippling, e.g. as a tactic, in a non-proof planning system. 
So there is no necessary connection. For more on rippling see §3. 



What Are the Scope and Limitations of Proof Planning? A critical 
evaluation of proof planning can be found in [Bundy, 2002] . 



2.2 Discovery and Learning 

Is It Possible to Automate the Learning of Proof Plans? Proof plans 
can be learnt from example proofs. In the case of equation-solving methods, 
this was demonstrated in [Silver, 1985]; in the case of inductive proof methods it 
was demonstrated in [Desimone, 1989]. Both projects used forms of explanation- 
based generalization. We also have a current project on the use of data-mining 
techniques (both probabilistic reasoning and genetic programming) to construct 
tactics from large corpora of proofs, [Duncan et al, 2004]. 

The hardest aspect of learning proof plans is coming up with the key meta- 
level concepts to describe the preconditions of the methods. An example of such 
a meta-level concept is that of ‘wave-front’ idea used in rippling. We have not 
made much progress on automating the learning of these. 



How Can Humans Discover Proof Plans? This is an art similar to the 
skill used by a good mathematics teacher when analyzing a student’s proof or 
explaining a new method of proof to a class. The key is identifying the appro- 
priate meta-level concepts to generalize from particular examples. Armed with 
the right concepts, standard inductive learning techniques can form the right 
generalization (see §2.2). 

2.3 Drawbacks and Limitations 

What Happens if the Attempt to Find a Proof Plan Fails? In certain 
circumstances proof critics can suggest an appropriate patch to a partial proof 
plan. Suppose the preconditions of a method succeed, but this method is un- 
packed into a series of sub-methods one of which fails, i.e. the preconditions of 
the sub-method fail. Critics are associated with some of these patterns of fail- 
ure. For instance, one critic may fire if the first two preconditions of a method 
succeed, but the last one fails. It will then suggest an appropriate patch for this 
kind of failure, e.g. suggest the form of a missing lemma, or suggest generalizing 
the conjecture. The patch is instituted and proof planning continues. 

The original critics paper is [Ireland, 1992]. A more recent paper is 
[Ireland & Bundy, 1996]. Two important application of critics are: discovering 
loop invariants in the verification of imperative programs [Stark & Ireland, 1998]; 
and the correction of false conjectures [Monroy et al, 1994]. 
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In other circumstances, a subgoal may be reached to which no method or 
critic is applicable. It may be possible to back-up to a choice point in the search, 
i.e. a place where two or more methods or critics were applicable. However, the 
search space defined by the methods and critics is typically much smaller than 
the search space defined by the object-level rules and axioms; that is both the 
strength and the weakness of proof planning. The total search space is cropped to 
the portion where the proof is most likely to occur - reducing the combinatorial 
explosion, but losing completeness. It is always possible to regain completeness 
by supplementing the methods with a default, general-purpose exhaustive search 
method, but some would regard this as a violation of the spirit of proof planning. 
For more discussion of these points see [Bundy, 2002] . 



Is It Possible to Discover New Kinds of Proof in a Proof Planning Sys- 
tem? Since general-purpose proof plans represent common patterns in proofs, 
then, by definition, they cannot discover new kinds of proof. This limitation 
could be overcome in several ways. One would be to include a default method 
which invoked some general search technique. This might find a new kind of 
proof by accident. Another might be to have meta-methods which constructed 
new methods. For instance, a method for one domain might be applied to an- 
other by generalizing its preconditions^. Or a method might be learnt from 
an example proof (see §2.2). Proof plans might, for instance, be learnt from 
proofs constructed by general search. For more discussion of these points see 
[Bundy, 2002]. 



Isn’t Totally Automated Theorem Proving Infeasible? For the foresee- 
able future theorem provers will require human interaction to guide the search 
for non-trivial proofs. Fortunately, proof planning is also useful in interactive 
theorem provers. Proof plans facilitate the hierarchical organization of a partial 
proof, assisting the user to navigate around it and understand its structure. They 
also provide a language for chunking the proof and for describing the interre- 
lation between the chunks. Interaction with a semi-automated theorem prover 
can be based on this language. For instance, the user can: ask why a proof 
method failed to apply; demand that a heuristic precondition is overridden; use 
the analysis from proof critics to patch a proof; etc. 

The XBarnacle system is an semi-automated theorem prover based on proof 
planning [Lowe & Duncan, 1997]. There is also a version of XBarnacle with in- 
teraction critics, where the user assists the prover to find lemmas and general- 
izations [Jackson & Lowe, 2000]. 



Doesn’t Proof Planning Promote Cheating by Permitting Ad Hoc 
Adjustments to Enable a Prover to ‘Discover’ Particular Proofs? Not 

if the recommended methodology is adopted. [Bundy, 1991] specifies a set of 

^ Often new departures come in mathematics when mathematicians switch from one 
area to another, bringing their proof methods with them. 
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criteria for assessing proof plans. These include generality and parsimony, which 
discourage the creation of ad hoc methods designed to guide particular theorems. 
Rather, they encourage the design of a few, general-purpose methods which guide 
a wide range of theorems. The expectancy criterion promotes the association of 
a method with an explanation of why it works. This discourages the design of 
methods which often succeed empirically, but for poorly understood reasons. Of 
course, these criteria are a matter of degree, so poor judgement may produce 
methods which other researchers regard as ad hoc. The criteria of proof planning 
then provide a basis for other researchers to criticize such poor judgement. 

2.4 Is All This of Relevance to Me? 

Would a Proof Planning Approach Be Appropriate for My Applica- 
tion? The properties of a problem that indicate that proof planning might be a 
good solution are: 1 . A search space which causes a combinatorial explosion when 
searched without heuristic guidance; 2. The existence of heuristic tactics which 
enable expert problem solvers to search a much smaller search space defined by 
these tactics; 3. The existence of specifications for each tactic to determine when 
it is appropriate to apply it and what effect it will have if it succeeds. 



How Would I Go About Developing Proof Plans for My Domain? The 

key problem is to identify the tactics and their specifications. This is usually 
done by studying successful human problem solving and extracting the tactics. 
Sometimes there are texts describing the tactics, e.g. in bridge and similar games. 
Sometimes knowledge acquisition techniques, like those used in expert systems, 
are needed, e.g. analysis of problem solving protocols, exploratory interviews 
with human experts. 

3 Rippling 

3.1 Introduction 

What Is Rippling? A technique for controlling term rewriting using anno- 
tations to restrict application and to ensure termination, see Fig. 1. A goal 
expression is rippled with respect to one or more given expressions. Each given 
expression embeds in the goal expression. Annotations in the goal mark those 
subexpressions which correspond to bits of the given (the skeleton) and those 
which do not (the wave-fronts). The goal is rewritten so that the embeddings are 
preserved, i.e. rewriting can only move the wave-fronts around within the skele- 
ton - wave-fronts can change but the skeleton cannot. Furthermore, wave-fronts 
are given a direction (outwards or inwards) and movement can only be in that 
direction. Outward wave-fronts can mutate to inward, but not vice versa. This 
ensures termination. Rippling can be implemented by putting wave annotation 
into the rewrite rules to turn them into wave-rules, see Fig. 2. The successful ap- 
plication of wave-rule requires that any wave-front in the wave-rule must match 
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t <> (y <> z) = {t <> Y) <> z 



h t ^ <> {y <> z) = 


[ h :: t ^ 0 y) <> 




T 


1 


h t <> [y <> z) 




h :: t 0 y <> z 




T 




h t <> (y <> z) 




h :: (t <> y) <> z 




h = h A t <> {y <> z) = 


(t <> y) <> z 



Fig. 1. This example is taken from the step case of the induction proof of the asso- 
ciativity of append, where <> is infix list append and :: is infix list cons. The hollow 
grey boxes in the induction conclusion represent wave-fronts. Orange boxes are used 
when colour is available. Notice how these grow in size until a copy of the induction 
hypothesis appears inside them. 



H y. T 


A 

V 




H y T <> L 



rev{ H -.-.T ) 



Xi X2 ^ = Fi :: Fa ^ 



rev{T) <> {H :: nil) 



Xi = Fi A X2 = F 2 



X<> {YoZ) ^ {X <>Y) <> Z 



Fig. 2. Rewrite rules from the recursive definition of <> and rev, the replacement rule 
for equality (backwards) and the associativity of <> are annotated as wave rules. The 
bits not in wave-fronts are called the skeleton. Note that the skeleton is the same on 
each side of the wave rule, but that more of it is surrounded by the wave-front on the 
right hand side compared to the left hand side. 



a wave-front in the goal. Rippling was originally developed for guiding the step 
cases of inductive proofs, in which the givens are the induction hypotheses and 
the goal is the induction conclusion. 

For an informal introduction to rippling with a large selection of examples 
see [Bundy et al, 1993]. For a more formal account see: [Basin & Walsh, 1996]. 
A thorough account will shortly be available in [Bundy et al, 2005]. 



Why Is It Called Rippling? Raymond Aubin coined the term ‘rippling-out’, 
in his 1976 Edinburgh PhD thesis, to describe the pattern of movement of what 
we now call wave-fronts, during conventional rewriting with constructor-style 
recursive definitions. In [Bundy, 1988], we turned this on its head by taking such 
a movement of wave-fronts as the definition of rippling rather than the effect 
of rewriting. This enabled the idea to be considerably generalized. Later we 
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invented ‘rippling-sideways’, ‘rippling-in’, etc and so generalized the combined 
technique to ‘rippling’. 

3.2 Relation to Standard Rewriting Techniques 

Are Wave-Rules Just the Step Cases of Recursive Definitions? No. 

Many lemmas and other axioms can also be annotated as wave-rules. Exam- 
ples include: associative laws; distributive laws; replacement axioms for equal- 
ity; many logical axioms; etc. Equations that cannot be expressed as wave-rules 
include commutative laws and (usually) the step cases from mutually recursive 
definitions. The latter can be expressed as wave-rules in an abstraction in which 
the mutually defined functions are regarded as indistinguishable. Lots of example 
wave-rules can be found in [Bundy et al, 2005] . 



How Does Rippling Differ from the Standard Application of Rewrite 
Rules? Rippling differs from standard rewriting in two ways. Firstly, the wave 
annotation may prevent the application of a wave-rule which, viewed only as 
a rewrite rule, would otherwise apply. This will happen if the left-hand side of 
the wave-rule contains a wave-front which does not match a wave-front in the 
expression being rewritten. Secondly, equations can usually be oriented as wave- 
rules in both directions, but without loss of termination. The wave annotations 
prevent looping. An empirical comparison of rippling and rewriting can be found 
in [Bundy & Green, 1996]. 



Since Rippling Is Terminating, Is It Restricted to Terminating Sets 
of Rewrite Rules? No. If all the rewrite rules in a non-terminating set can 
be annotated as wave-rules then the additional conditions of wave annotation 
matching, imposed by rippling, will ensure that rippling still terminates. Exam- 
ples are provided by the many rewrite rules that can be annotated as wave-rules 
in both directions, and may even both be used in the same proof, without loss 
of termination. 



Couldn’t We Simply Perform Rippling Using a Suitable Order, e.g. 
Recursive Path Ordering, Without the Need for Annotations? No, 

each skeleton gives (in essence) a different termination ordering which guides 
the proof towards fertilization with that skeleton. Different annotations on the 
same term can result in completely different rewritings. 



Is Rippling Restricted to First-Order, Equational Rewriting? No, there 
are at least two approaches to higher-order rippling. One is based on view- 
ing wave annotation as representing an embedding of the given in the goal 
[Smaill & Green, 1996]. The other is based on a general theory of colouring 
Acalculus terms in different ways [Butter & Kohlhase, 1997]. 
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Rippling can also be extended to support reasoning about logic programs 
- and other situations where values are passed between conjoined relations 
via shared existential variables, as opposed to being passed between nested 
functions. Relational rippling adapts rippling to this environment 
[Bundy & Lombart, 1995]. 

3.3 Wave Annotations 

Is the Concept of Wave-Rule a Formal or Informal One? ‘Wave-rule’ 
can be defined formally. It is a rewrite rule containing wave annotation in which 
the skeletons are preserved and the wave-front measure of the right-hand side 
is less than that of the left-hand side. Informally, the skeleton consists of those 
bits of the expression outside of wave-fronts or inside the wave-holes. The mea- 
sure records the position of the wave- fronts in the skeleton. It decreases when 
outwards directed wave-fronts move out or downwards wave-fronts move in. A 
formal definition of skeleton and of the wave-front measure can be found in 
[Basin & Walsh, 1996] and in chapter 4 of [Bundy et al, 2005]. 



Where Do the Wave Annotations in Wave-Rules and in Induction 
Rules Come from? Wave annotation can be inserted in expressions by a 
family of difference unification algorithms invented by Basin and Walsh (see 
[Basin & Walsh, 1993]). These algorithms are like unification but with the addi- 
tional ability to hide non-matching structure in wave-fronts. Ground difference 
matching can be used to insert wave annotation into induction rules and ground 
difference unification for wave-rules. ‘Ground’ means that no instantiation of 
variables occurs. ‘Matching’ means that wave-fronts are inserted only into the 
induction conclusion and not the induction hypothesis. ‘Unification’ means that 
wave- fronts are inserted into both sides of wave-rules. Note that the process of 
inserting wave annotations can be entirely automated. 

3.4 Performance 

Has Rippling Been Used to Prove Any Hard Theorems? Yes. Rippling 
has been used successfully in the verification of the Gordon microprocessor and 
the synthesis of a decision procedure and of the rippling tactic itself. It has also 
been used outwith inductive proofs for the summing of series and the Lim-I- 
theorem. A survey of some of these successes can be found in chapter 5 of 
[Bundy et al, 2005]. 



Can Rippling Fail? Yes, if there is no wave-rule available to move a wave-front. 
In this case we apply critics to try to patch the partial proof. For inductive proofs, 
for instance, these may: generalize the induction formula; revise the induction 
rule; introduce a case split; or introduce and prove an intermediate lemma, ac- 
cording to the precise circumstances of the breakdown. The fact that a failed 
ripple provides so much information to focus the attempt to patch the proof is 




34 



A. Bundy 



one of the major advantages of rippling. More details about critics, including 
some hard examples which have been proved with their use, can be found in 
[Ireland & Bundy, 1996] and in chapter 3 of [Bundy et al, 2005]. 

3.5 Miscellaneous 

How Is Rippling Used to Choose Induction Rules? There is a one-level 
look-ahead into the rippling process to see what induction rules would permit 
rippling to take place. In particular, which wave-fronts placed around which 
induction variables would match with corresponding wave-fronts in induction 
rules. We call this ripple analysis. It is similar to the use of recursive defini- 
tions to suggest induction rules, as pioneered by Boyer and Moore, but differs 
in that all available wave-rules are used in ripple analysis, and not just recursive 
definitions. More detail of ripple analysis can be found in [Bundy et al, 1989], al- 
though that paper is rather old now and is not a completely accurate description 
of current rippling implementations. In particular, the term ‘ripple analysis’ was 
not in use when that paper was written and it is misleadingly called ‘recursion 
analysis’ there. A recent alternative approach is to postpone the choice of in- 
duction rule by using meta- variables as place holders for the induction term and 
then instantiating these meta- variables during rippling: thus tailoring the choice 
of induction rule to fit the needs of rippling [Kraan et al, 1996, Gow, 2004]. 

3.6 And Finally ... 

Why Do You Use Orange Boxes to Represent Wave-Fronts? ^ 

The boxes form hollow squares, which help to display the outwards or inwards 
movement of wave-fronts. In the days of hand- written transparencies, orange 
was used because it is one of the few transparent overhead pen colours, allowing 
the expression in the wave-front to show through^. 

For more information about the research work outlined above, electronic 
versions of some of the papers and information about down loading software, see 
the web site of my research group at http://dream.dai.ed.ac.uk/. 
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Abstract. Classical logic predicts that everything (thus nothing useful 
at all) follows from inconsistency. A paraconsistent logic is a logic where 
an inconsistency does not lead to such an explosion, and since in practice 
consistency is difficult to achieve there are many potential applications 
of paraconsistent logics in knowledge-based systems, logical semantics of 
natural language, etc. 

Higher order logics have the advantages of being expressive and with 
several automated theorem provers available. Also the type system can 
be helpful. 

We present a concise description of a paraconsistent higher order logic 
with countably infinite indeterminacy, where each basic formula can get 
its own indeterminate truth value. The meaning of the logical operators 
is new and rather different from traditional many-valued logics as well 
as from logics based on bilattices. Thus we try to build a bridge between 
the communities of higher order logic and many- valued logic. 

A case study is studied and a sequent calculus is proposed based on 
recent work by Muskens. 



Many non-classical logics are, at the propositional level, funny toys which work 
quite good, but when one wants to extend them to higher levels to get a real 
logic that would enable one to do mathematics or other more sophisticated 
reasonings, sometimes dramatic troubles appear. 

J.-Y. Beziau: The Future of Paraconsistent Logic 
Logical Studies Online Journal 2 (1999) p. 7 

A preliminary version appeared in the informal proceedings of the workshop 
on Paraconsistent Computational Logic PCL 2002 (editors Hendrik Decker, 
Jprgen Villadsen, Toshiharu Waragai) http://www.ruc.dk/~jv/pcl.pdf 



1 Introduction 

Classical logic predicts that everything (thus nothing useful at all) follows from 
inconsistency. A paraconsistent logic is a logic where an inconsistency does not 
lead to such an explosion. 

In a paraconsistent logic the meaning of some of the logical operators must 
be different from classical logic in order to block the explosion, and since there 

* This research was partly sponsored by the IT University of Copenhagen. 
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are many ways to change the meaning of these operators there are many dif- 
ferent paraconsistent logics. We present a paraconsistent higher order logic V 
based on the (simply) typed A-calculus [10,4]. Although it is a generalization 
of Lukasiewicz’s three-valued logic the meaning of the logical operators is new. 
The results extend the three- valued and four-valued logics first presented in [19, 
20] to infinite-valued logics. 

One advantage of a higher order logic is that the logic is very expressive in the 
sense that most mathematical structures, functions and relations are available 
(for instance arithmetic) . Another advantage is that there are several automated 
theorem provers for classical higher order logic, e.g. TPS [5], LEO [9], HOL, 
PVS, IMPS, and Isabelle (see [23] for further references). It should be possible 
to modify some of these to our paraconsistent logic; in particular the generic 
theorem prover Isabelle [18] already implements several object logics. 

We are inspired by the notion of indeterminacy as discussed by Evans [11]. 
Even though the higher order logic V is paraconsistent some of its extensions, 
like are classical. We reuse the symbols V and A later for related purposes. 

We also propose a sequent calculus for the paraconsistent higher order logic V 
based on the seminal work by Muskens [17]. In the sequent 6> h T we understand 
6> as a conjunction of a set of formulas and T as a disjunction of a set of formulas. 
We use 0\\~r as a shorthand for 6>, w h T, where a; is an axiom which provides 
countably infinite indeterminacy such that each basic formula can get its own 
indeterminate truth value (or as we prefer: truth code). 

As mentioned above higher order logic includes much, if not all, of ordinary 
mathematics, and even though V is paraconsistent we can use it for classical 
mathematics by keeping the truth values determinate. Hence we shall not con- 
sider here paraconsistent mathematics. Using the standard foundation of math- 
ematics (axiomatic set theory) it is possible to show that V is consistent. 

The essential point is that the higher-order issues and many-valued issues 
complement each other in the present framework: 

— On the one hand we can view V as a paraconsistent many-valued extension 
of classical higher order logic. 

— On the other hand we can view V as a paraconsistent many-valued proposi- 
tional logic with features from classical higher order logic. 

First we introduce a case study and motivate our definitions of the logical 
operators. Then we describe the syntax and semantics of the typed A-calculus and 
introduce the primitives of the paraconsistent higher order logic V , in particular 
the modality and implications available. Finally we present a sequent calculus 
for V and the extensions and Vp 

2 A Case Study 

Higher order logic is not really needed for the case study - propositional logic is 
enough - but the purpose of the case study is mainly to illustrate the working 
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of the paraconsistency. The features of first order logic and higher order logic, 
including mathematical concepts, seem necessary in general. 

Imagine a system that collects information on the internet - say, from news 
media - about the following scenario: Agent X thinks that his supervisor hides a 
secret that the public ought to know about. For simplicity we ignore all temporal 
aspects and take all reports to be in present tense. We also do not take into 
account a more elaborate treatment of conditionals / counterfactuals. 

Assume that the following pieces of information are available: 

^123 If X leaks the secret then he keeps his integrity. 

^456 If X does not leak the secret then he keeps his job. 

#789 If X does not keep his job then he does not keep his integrity. 

#1000 X does not keep his job. 

The numbers indicate that the information is collected over time and perhaps 
from various sources. 

Classically the information available to the system is inconsistent. This is 
not entirely obvious, especially not when numerous other pieces of information 
are also available to the system and when the system is operating under time 
constraints. Note that the information consists of both simple facts (#1000) as 
well as rules (#123, #456, #789). A straightforward formalization is as follows: 

I 9i 

~^L — > J 02 

~^J — > ~^I 03 

~^J 0Q 

Here the propositional symbol L means that X leaks the secret, I that X keeps his 
integrity, and J that X keeps his job. As usual ^ is implication, A is conjunction, 
and ^ is negation. 

If we use classical logic on the formulas 0 o,Si, 02, 03 the system can conclude 
L, ~^L, I, -'I, J, -ij, and whatever other fact or rule considered. Of course 
we might try to revise the information Oo, 0 i,& 2 , 03 , but it is not immediately 
clear what would be appropriate. In the present paper we propose to use a 
paraconsistent logic V such that the system can conclude only ^ J or 6*o, which 
is reasonable (the logic V is monotonic and any formula (p entails itself). 

The paraconsistent logic V is an extension of classical logic in the sense that 
classical reasoning is easily possible, just add the special formulas AL, A/, and 
AJ to the formulas 0o,0i,02, 03 and L, I, and J behave classically. 

We now turn to the motivation of the logical operators, which are to be 
defined using so-called key equalities. We return to the case study in section 6. 

3 Overall Motivation 

Classical logic has two truth values, namely • and o (truth and falsehood), and 
the designated truth value • yields the logical truths. We use the symbol T for 
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the truth value • and _L for o (later these symbols are seen as abbreviations for 
specific formulas). 

But classical logic cannot handle inconsistency since an explosion occurs. 
In order to handle inconsistency we allow additional truth values and the first 
question is: 

1. How many additional values do we need? 

It seems reasonable to consider countably infinitely many additional truth 
values - one for each proper constant we might introduce in the theory for the 
knowledge base. Each proper constant (a proposition, a property or a relation) 
can be inconsistent “independently” of other proper constants. We are inspired 
by the notion of indeterminacy as discussed by Evans [11]. Hence in addition 
to the determinate truth values A = {•,o} we also consider the indeterminate 
truth values V = {i, ii, m, . . .} to be used in case of inconsistencies. We refer 
to the determinate and indeterminate truth values A U V as the truth codes. 
We can then use, say, (A U V) \ {•} as substitutes for the natural numbers 
u; = {0,l,2,3,...}. 

The second question is: 

2. How are we going to define the connectives? 

One way to proceed is as follows. First we want De Morgan laws to holds; 
hence (p\/ ip = A ~'ip). For implication we have the classically acceptable 

ip^ip = ip-^ipAip. For negation we propose to map • to o and vice versa, 
leaving the other values unchanged (after all, we want the double negation law 
ip -n^ip to hold for all formulas ip). For conjunction we want the idempotent 
law to hold and • should to be neutral, and o is the default result. For biimpli- 
cation we want reflexivity and • should to be neutral, o should be negation, and 
again o is the default result. The universal quantification is defined using the 
same principles as a kind of generalized conjunction and the existential quantifi- 
cation follows from a generalized De Morgan law. 

We do not consider a separate notion of entailment - we simply say that ip 
entails ip iS ip ^ ip holds. While it is true that (p A -^(p does not entail arbitrary 
Ip we do have that entails p ^ ip, hence we do not have a relevant logic [1] in 
general (but only for so-called first degree entailment) . Our logic validates clear 
“fallacies of relevance” like the one just noted, or like the inference from p to 
Ip ^ Ip, but these do not seem problematic for the applications discussed above. 

Our logic is a generalization of Lukasiewicz’s three-valued logic (originally 
proposed 1920-30), with the intermediate value duplicated many times and or- 
dered such that none of the copies of this value imply other ones, but it differs 
from Lukasiewicz’s many-valued logics as well as from logics based on bilattices 
[8,12,6,13]. 

4 Conjunction, Disjunction, and Negation 

The motivation for our logical operators is to be found in the key equalities 
shown to the right of the following semantic clauses (the basic semantic clause 
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and the clause |T] = • are omitted; further clauses are discussed later). Also 
(/? is considered to be a key equality as well. 



if |(/?] = o T ^_L 
= { ° if [V?! = • -L 44> 

|(/?] otherwise 



IpAipj = 



|(/?1 if Iv?] = IV'l 




AA 


p Ap 


bPl if M = • 


P 


AA 


T Alp 


l(/?l if IPI = • 




AA 


p AT 


o otherwise 









In the semantic clauses several cases may apply if and only if they agree on the 
result. The semantic clauses work for classical logic and also for our logic. 

We have the following standard abbreviations: 

_L = -iT ifW ijj = -'{—'Lp A -lip) 3v.p = -Nv.^p 

The universal quantification ^v-p will be introduced later (as a kind of general- 
ized conjunction). A suitable abbreviation for T is also provided later. 

As explained we have an infinite number of truth values (truth codes) in gen- 
eral, but the special cases of three-valued and four-valued logics are interesting 
too. In order to investigate finite truth tables we first add just |f] = i as an 
indeterminacy. We do not have p V ~^p. Unfortunately we do have that p A ~^p 
entails ip V -rp (try with •, o and i using the truth tables and use the fact that 
any p entails itself). The reason for this problem is that in a sense there is not 
only a single indeterminacy, but a unique one for each basic formula. 

However, in many situations only two indeterminacies are ever needed, corre- 
sponding to the left and right hand side of the implication. Hence we add ||] = ii 
as the alternative indeterminacy. 
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1 II 
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1 II 
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o 


1 o 


1 




II 


II 


o 


O II 


II 





• o 
o • 



Keep in mind that truth tables are never taken as basic - they are simply 
calculated from the semantic clauses taking into account also the abbreviations. 



5 Implication, Biimplication, and Modality 

As for conjunction and negation the motivation for the biimplication operator 
(and the implication operator ^ as defined later) is based on the few key 
equalities shown to the right of the following semantic clause. 
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[ip ^ V'l 



' • if |(^1 = iv^i 

IV'l if M = • 

bl if W = • 

hV'l if M = o 

if W = o 

o otherwise 

V 



T ip ^ ip 

■0 T tp 

ip T 

-'ll! J- ^ tp 

~^ip <t4> ip 1. 



As before, several cases may apply if and only if they agree on the result and 
the semantic clause works for classical logic too. 

The semantic clause is an extension of the clause for equality =: 



[ip = iPl 



• if M = m 

o otherwise 



We have the following abbreviations: 

ip ^ Ip = ip = Ip ip^%p = ip^ip/\ip 

ip — > \p = ip -1^ ip A Ip 



nip = ip = T 

= -iD(p 



The logical necessity operator □ is a so-called S5 modality. 

We could also have used {p ^ tp) A {ip ^ p) for p ^ ip (using = instead of 
in the definition of =^) . Besides, <t4> binds very loosely, even more loosely than 
does, and = binds tightly. The binding priority is the only difference between 
= and for formulas, but and are quite different as can be seen from the 
truth tables. 
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We could try the following standard abbreviations: 

p Ip = ~^p y Ip p Ip = {p —>■ Ip) A {ip —>■ p) 

But here we have neither p p nor p p, since the diagonals differ from • at 

indeterminacies . 
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^ • o I II 

• • o I II 

0 O • I II 

1 III* 

II II II • II 



• O I I 

• • O I I 

o • • • • 

• II* 

II * II * I 



<~w * O I I 

* * O I I 

o o * • • 

I * * * 

II II • • • 



• O I II 

* • O I II 

0 • * • • 

1 • • • * 

I * • • • 



We instead use the following abbreviations: 

Lp if) = ^Lp\JXp (f -ir^ tp = {(p ^ pj) A {ip ^ (f) 

Although ip Ip does not entail -iip ~^ip, we do have ip ip and ip ip, and 
this implication is very useful as we shall see in a moment. 

We also use the predicate A for determinacy and V for indeterminacy with 
the abbreviations (note that A and V are used for predicates and for sets of 
truth codes): 

A(/? = n{ip\/ ^ip) V ip = ^A(p 



V A 

• o • 

o o o 

* I 

II • I 



* 

* 

o 

o 



We now come to the central abbreviations based directly on the semantic clause 
above: 

ip Ip = {ip = Ip T) A 
{if Ip) A 

{ip ip) A 

{-^ip -!■)/)) A 

{-^ip ~^ip) A 

{^{ip = Ip) A Vip A Vip A) 

We could also use {ip ip) A {-^ip -'ip) A {ip = ipW Aip V Aip) for ip ^ ip. 

6 A Case Study — Continued 

Recall that classical logic explodes in the presence of the formulas 9o,9i,92,03 
since 9q,9\,92, 9^ entails any formula ip. In V we have several counter-examples 
as follows. 

The reason why we do not have {9o A 9\ A 92 A 9z) J is that |L] = *, 
|/] = I, !</] = o is a counter-example. This can be seen from the truth tables - 
the result is i which is not designated. The same counter-example also shows that 
the system cannot conclude since |^L] = o = |J] and it cannot conclude J 
as just explained. 
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The system cannot conclude L (take |L] = o, |/] = o, |J] = i as a counter- 
example) and neither / nor (take |L] = i, |/] = ii, |J] = i in both cases). 

There is quite some flexibility with respect to the formalization - as an ex- 
ample we consider changing to D-iJ where the logical necessity operator □ 
expresses that the fact is “really” true. Now the previous counter-example to L 
is no good and since it can be shown that there is no other counter-example, the 
system concludes L (it also concludes and of course still ^J). Recall that 
classical logic is useless in this case study. The previous counter-example to ~^L 
and J is ok, and there is a counter-example |L] = i, |/] = o, |J] = o to /. 

We think that the case study shows that the logic V is inconsistency-tolerant 
in an interesting way, but of course further investigations are needed to clarify 
the potential. 



7 A Sequent Calculus 

We base the paraconsistent higher order logic V on the (simply) typed A-calculus 
[10] (see also [7], especially for the untyped A-calculus and for the notion of 
combinators which we use later). 

Classical higher-order logic is often built from a very few primitives, say 
equality = and the selection operator i as in Qo [4], but it does not seem like 
we can avoid taking, say, negation, conjunction and universal quantification as 
primitives for V. Also we prefer to extend the selection operator i to the (global) 
choice operator e described later. 

We use the following well-known abbreviations in order to replace negation 
and conjunction by joint denial (also known as Sheffer’s stroke): 

~^Lp = ip\Lp (fi Aip = 

We also have a so-called indeterminacy generation operator o as a primitive. We 
use the following abbreviations: 

Tp = —'ip ip = dip ip = dp 

The indeterminacy generation operator is injective and we can use it for the 
natural numbers. We say much more about it later. 

The truth tables in case of four truth values are the following. 



• o I II d 
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The truth table only displays equality = between formulas (the biimplication 
operator <^), but it is applicable to any type. We have the abbreviation: 

T = (xx.x) = (xx.x) 

Here xx.x is the identity function in the A-calculus (any type for x will do). 
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7.1 Syntax 

We define the following sets of types and terms - the latter for each type t and 
in the case of the a abstraction we additionally require that r is of the form a( 3 . 

T = o \ TT I S Cr = C-yrC,~i I I Ct I Vt 

Here S is the set of sorts (empty in the propositional case, where the only basic 
type is o for formulas), Cr and Vr are the sets of term constants and variables 
of type r (the set of variables must be countably infinite), and a, /?, 7, r € T. 

We often write t\ . . . Tml instead of the type ri(. . . (rmj)) and ifipi . . ■ 4 ’n 
instead of the term ■ ■ .) tpn - Note that the relational types are ti . . .r„o 

(also called predicates). 

If we add a sort of individuals t to the propositional higher order logic V 
we obtain the higher order logic V'' (further sorts can be added, but for our 
purposes they are not needed). 

7.2 Semantics 

As usual is the set of functions from X to Y. 

A universe U is an indexed set of type universes Ur such that C/a/3 C C/^“ . 
The universe is full if C is replaced by =. 

A basic interpretation / on a universe C/ is a function / : [JCr ^ [J Ur such 
that iKr G Ur for Hr € Cr- Analogously, an assignment A on a universe C/ is a 
function A: {}Vr ^\jUr such that Avr G Ur for Vr &Vr- 

A model M = (C/, I) consists of a basic interpretation / on a universe U such 
that for all assignments A on the universe U the interpretation : 1 J£t ^ 

[_]Ur has G Ur for all terms t-pr & Cr, where (we use the A-calculus in 

the meta-language as well): 

W = 

|t;] = Av 

{xv^.^p\=xu. 

= I‘C’1 IV’l 

For clarity we omit some types and parameters. 

What we call just a model is also known as a general model, and a full model 
is then a standard model. An arbitrary basic interpretation on a universe is 
sometimes considered a very general model. 

7.3 Primitives 

We use five primitive combinators of the following types (r G T): 

D 000 Joint denial - Sheffer’s stroke 

Q TTO Equality 

A (ro)o Universal quantification 

C (to)t Global choice 

V 00 Indeterminacy generation 
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We have the following abbreviations (we omit the types): 

= Dipip tp = ij) = Qiptp (f = Qi^ 

Wv-if = A XV. ip ip = Cp sv.p = Cxv.p dp = \/p 

Only a few of these abbreviations need explanation. The (global) choice operator 
e chooses some value v for which p is satisfied (v can be free in p); if no such 
value exists then an arbitrary value is chosen (of the right type). The choice is 
global in the sense that all choices are the same for equivalent p’s, hence for 
instance we have {ex.l) = (ex.T). 

The notation p turns p into a singleton set with itself as the sole member 
and p is its inverse, since ip = p, which is called the selection property, cf. the 
selection operator i in Qo [4]. But p is of course also defined for non-singleton 
sets, namely as the (global) choice operator just described. We say a little more 
about these matters when we come to the choice rules. 

We can even eliminate the A-notation if we use two additional primitive 
combinators, the so-called S and K combinators of suitable types. For example, 
the identity function xx.x is available as the abbreviation I = SKK, cf. [7]. 

7.4 Structural Rules 

In the sequent O \~ F we understand 0 as a conjunction of a set of formulas 
and T as a disjunction of a set of formulas, and we have the usual rules for a 
monotonic sequent calculus: 



0,p \- F 0\-p,F^ 0 \- F 0 \~ F 

0 h T 0,p ^ F 0 ^ p,F 

Notice that p \~ p follows from these rules and the rules for equality below. 

7.5 Fundamental Rules 

We use the abbreviation: 

p = tp = (xpq.Wx.px = qx)p'ip 

We have the usual conversion and extensionality axioms of the A-calculus: 

{xv .p) Ip = p[tp / v] p = tp h p = xp 

Here p[ip/v] means the substitution of xp for the variable v in p (the notation 
presupposes that xp is substitutable for v in p). For later use we note that if the 
notation for an arbitrary so-called eigen-variable tt is used in place of xp then it 
must not occur free in other formulas in the given axiom/rule. Also p[xp] means 
p[xp /v\ for an arbitrary variable v with respect to the given axioms/rule. 

We have the usual reflexivity and substitution axioms for equality: 

p = xp, e[p] h e[xp] 



p = p 
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7.6 Logical Rules 

Let 0 = {9 I 0 e 0}. Negation is different from classical logic. We follow [17] 
and add only the following rules: 

r h 0 N h 0 

0 h r 0 h N 

Conjunction and universal quantification are straightforward: 

, , „ , 0,if,1p 'r r 

^ 0,vM^ h r 



\/v.(p h (p[lp/v] 



0 h ip[Tr/v],r 

0 h yv.(p,r 



Remember that the eigen-variable condition is built into the notation. 

We also have to provide axioms for the negation and conjunction in case of 
indeterminacy: 

Vx -<x = X X ^ y A Vx A Vy x\y 



7.7 Choice Rules 

We have the following choice axioms [10] corresponding to the Axiom of Choice 
in axiomatic set theory: 

pv pp 

Notice that due to the use of we can only make a choice if 3v. a{pv). If we 
used a different implication the choice might not be possible at all. 

7.8 Generation Rules 

We use the following abbreviations: 

oo = T 0 = _L 1 = 6 2=i 3 = 2 

N = \x. a; yf oo T = \x.~T 0 = Aa;._L 

We have the following important axioms: 

X = y ^ X = y 00 = 00 

poo A pO A (y/x.px px) py 

The first axiom ensures the injective property and the second axiom makes the 
third axiom, the induction principle, work as expected. 

Hence 2 -|- 2 = 4 can be stated in V (seeing -|- as a suitable abbreviation). It 
can also be proved, but many other theorems of ordinary mathematics can not 
be proved, of course (it does not contain arithmetic in general). 

Since h we have among others 1 b 1, but this is just a curiosity. 
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7.9 Countably Infinite Indeterminacy 

Let Lo be the axiom: 

(Vx Vx) A Bp.Vy 

No ambiguity is possible with respect to the use of uj for the set of natural 
numbers, and the motivation is that the axiom oj introduces a countably infinite 
type in V. The first part says that once indeterminate always indeterminate. 
The second part of the axiom w says that indeterminacy exists. In other words, 
we can say that uj yields '^-confinement and '^-existence. 

With the axiom oj we extend V to the indeterminacy theory Vo; (propositional 
higher order logic with countably infinite indeterminacy) such that all theorems 
of ordinary mathematics can be proved (the axioms can be shown consistent in 
axiomatic set theory [16], which is the standard foundation of mathematics and 
stronger than cf. the second Godel incompleteness theorem). 

Although the propositional higher order logic V is our starting point, the 
indeterminacy theory is going to be our most important formal system and 
we use IT = {ip \ UJ \- Lp} as a, shorthand for its theorems and O \\~ F instead of 
0,uj\- r. In particular we previously could have used 0Oj 6*3 lb in the 
case study. 

We allow a few more abbreviations: 

(p = ip !\ ~^ip (p = ip\/ ~^ip 

We can now state the interesting property of (coming from V) succinctly: 

p])f p 



7.10 Classical Logic 

Let A be the axiom: 

Ax 

The A axiom is equivalent to -non-existence, namely ^a;. Va;, and with the 
axiom A we extend V to the classical propositional higher order logic which 
was thoroughly investigated in [14, 2] . 

Finally we can combine the extensions and V‘ into the classical higher 
order logic VI, also known as Qo based on the typed A-calculus, and often seen 
as a restriction of the transfinite type theory Q [3, 21] by removing the transfinite 
types. Qo is implemented in several automated theorem provers with many active 
users [18,5,9,23]. Classical second order logic, first order logic, elementary logic 
(first order logic without functions and equality) and propositional logic can be 
seen as restrictions of Qq. 

In contrast to the paraconsistent the classical is not a foundation of 
mathematics, but we obtain the type theory Qq by replacing the sort i with the 
sort a and adding the relevant Peano postulates i;yfOA {x y x y) 'm 
our notation, cf. [4, pp. 209/217] for the details. 
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7.11 Other Logics 

In order to investigate finite truth tables, namely the three-valued and four- 
valued logics discussed in previous sections, we have the following abbreviations: 

t ^ i t ^ i 

We get the four- valued logic Vj by adding the following axiom to V : 

Ax V X = \ V a: = | 

Likewise we get the three- valued logic V-f by adding the following axiom to V : 

Ax V x = t 

But here t = -L due to the injection property of the indeterminacy generation. 

8 Conclusions and Future Work 

We have proposed a paraconsistent higher order logic with countably infinite 
indeterminacy and described a case study (see [20,22] for further applications). 

We have presented a sequent calculus for the paraconsistent logic V and 
the simple axiom uj turning V into the Vui that can serve as a foundation of 
mathematics. Another axiom A turns V into the classical logic • We would like 
to emphasize that it is not at all obvious how to get from to V when the usual 
axiomatics and semantics of do not deal with the axiom A separately as we 
do here. Corresponding to the proof-theoretical h we have the model-theoretical 
1= based on the type universes, and soundness and completeness results are to 
be investigated (the latter with respect to general models of V only) . 

We also intend to compare the paraconsistent higher order logic with 
work on multi-valued higher order resolution [15]. 
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Abstract. Abstraction has been used extensively in Artificial Intelli- 
gence (AI) planning, human problem solving and theorem proving. In 
this article we show how to apply abstraction within Partial Deduction 
(PD) formalism for Linear Logic (LL). The proposal is accompanied with 
formal results identifying limitations and advantages of the approach. 
We adapt a technique from AI planning for constructing abstraction hier- 
archies, which are then exploited during PD. Although the complexity of 
PD for propositional LL is generally decidable, by applying abstraction 
the complexity is reduced to polynomial in certain cases. 



1 Introduction 

Partial Deduction (PD) (or partial evaluation of logic programs, which was first 
introduced by Komorowski [8]) is known as one of optimisation techniques in 
logic programming. Given a logic program, PD derives a more specific program 
while preserving the meaning of the original program. Since the program is more 
specialised, it is usually more efficient than the original program. 

A formalism of PD for !-Horn fragment [5] of Linear Logic [3] (LL) is given 
in [11]. Also soundness and completeness of the formalism are proved there. 
However, the formalism is still limited with the computational complexity arising 
from the underlying logic. Since propositional !-Horn fragment of LL (HLL) can 
be encoded as a Petri net, the complexity of HLL is equivalent to the complexity 
of Petri net reachability checking and thus decidable [5]. Therefore, we consider 
it very important to identify methodologies, which would help to decrease the 
effects inherited from the complexity. 

Abstraction techniques, constituting a subset of divide-and-conquer approac- 
hes, are widely viewed as methods for making intractable problems tractable. Us- 
ing abstraction techniques we may cut solution search space from b‘^ to [9, 

15], where b and d are respectively the branching factor and the depth of the 
search tree and k is the ratio of the abstraction space to the base space in an 
abstraction hierarchy. 

Korf [9] showed that when optimal abstraction hierarchies are used, it is pos- 
sible to reduce the expected search time from 0{n) to 0{log n). This improve- 
ment makes combinatorial problems tractable. For instance, if n is a function 
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exponential in the problem size, then log n is just linear, according to Korf. The 
essential reason why abstraction reduces complexity is that the total complexity 
is the sum of the complexities of the multiple searches, not their product. 

In the following we shall show how to generate automatically abstraction 
hierarchies for LL applications. Then, when applying PD, first an initial (par- 
tial) proof is constructed in the most abstract space in that hierarchy and then 
gradually the proof is extended while moving from higher levels of abstraction 
towards the base level given by the initial problem. A (partial) proof found at a 
certain abstraction level may be viewed as a proof including “gaps” , which have 
to be filled at lower levels of abstractions. 

The rest of the paper is organised as follows. Section 2 introduces prelim- 
inaries and basic definitions. Section 3 introduces a method for constructing 
abstraction hierarchies. Section 4 focuses on PD with abstraction hierarchies. 
Section 5 demonstrates the application of abstraction to PD. Section 6 reviews 
the related work and concludes the paper. 



2 Preliminaries and Definitions 



2.1 Horn Linear Logic 

In the following we are considering !-Horn fragment [5] of LL (HLL) consisting of 
multiplicative conjunction (®), linear implication (— °) and “of course” operator 
(!). In terms of resource acquisition the logical expression A® B \- C ® D means 
that resources C and D are obtainable only if both A and B are obtainable. 
After the sequent has been applied, A and B are consumed and C and D are 
produced. 

While implication A ^ B as & computability statement clause in HLL could 
be applied only once, \{A — ° B) may be used an unbounded number of times. 
Therefore the latter formula could be represented with an extralogical LL axiom 
\- A —o B. When A —o B is applied, then literal A becomes deleted from and 
B inserted to the current set of literals. If there is no literal A available, then 
the clause cannot be applied. In HLL ! cannot be applied to other formulae than 
linear implications. 

Whenever a compact representation is needed we shall write the set of ex- 
tralogical axioms {\- A ^ B ^ C,\~ D ^ E ^ F, .. .} and the sequent X \- Y to 
be proved as a single sequent X(g)!(H 0 H ^ C)^l{D E —o F) ^ Y . To 

allow shorter representation of formulae, we are using in the following sometime 
abbreviation a" = a 0 ... 0 a, for n > 0. 



2.2 Partial Deduction for HLL 

In this section we present the definitions of the basic concepts of PD for HLL. 
We adopt the PD framework as it was formalised in [11]. 

Definition 1. Computation Specification Clause (CSC) is a LL sequent 
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where I and O are multiplicative conjunctions of literals and f is a function, 
which implements the computation step. 

The succedent and the antecedent of CSC C are denoted with succ{C) and 
ant{C) respectively. 

Definition 2. Computation Specification (CS) is a finite set of CSCs. 
Definition 3. Computation Specification Application ( CSA ) is defined as 

r-,shc, 



where F is a CS, S is the initial state and G is the goal state of computation. 
Both S and G are represented with multiplicative conjunctions of literals. 



We are going to use letters S, G and F throughout the paper in this con- 
text. PD back- and forward chaining steps, respectively TZb{Li) and TZf{Li), are 
defined [10] with the following rules: 



Sh B^G 
Sh A^C 



T^b{Li) 



AoC'^G 

BOC^G 



Tlp{L,) 



Li in the inference figures is a labelling of a particular LL axiom representing 
a CSC in the form h B A. TZf{Li) and TZb{Li) apply clause Li to move 
the initial state towards the goal state or the other way around. A, B and 
G are multiplicative conjunctions. This brings us to the essence of PD, which 
is program manipulation, in our case basically modification of initial and goal 
states. As a side-effect of PD a modified program is created. 



2.3 Abstraction 

Definition 4. Size of a CSA A is the number of different literals A involves 
and is denoted with 5(A). 

Definition 5. Abstraction A is a set of literals, which are allowed in a CSA, if 
particular abstraction is applied. 

Definition 6. Abstraction level is a position in an abstraction hierarchy. The 
lowest abstraction level is denoted with 0 and represents the original problem 
space. 

Definition 7. Abstraction hierarchy TL for a CSA A is a total order of abstrac- 
tions such that^Ai, Aj G TtAi yf jA(5(Ai(A)) < 5(Aj(A))) Aj(A) -< Ai{A), 
whereas i and j are abstraction levels. 

Due to the way we construct abstraction hierarchies, it is not possible that 
5(Ai(A)) = 5(Aj(A)), unless i = j. 

Definition 8. If I is a literal, then Level{l) is the highest abstraction level where 
I can appear. 
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To explain the notion of level let us consider an abstraction hierarchy in 
Table 1. There Level {X) = 2, meaning that literal X occurs in all abstracted 
versions of a net starting from level 2. Similarly Level{F) = 1 and Level{M) = 0 
in the same table. 



Definition 9. State S at abstraction level i is denoted with -4^(5') = ^Ai{S){lj), 

i=i 

where Ij is the j-th literal in S, S has n literals, and 



MS){i) 



l , if Level{l) > i 
1 , otherwise 



In the preceding 1 is a constant of HLL. In the following we may omit some 
instances of 1 in formulae to keep the representation simpler. Anyway, our for- 
malism is still consistent since there are rules in HLL facilitating the removal of 
1 from formulae and we assume that these rules are applied implicitly. 



Definition 10. Abstracted CSC \~ I ^ O at abstraction level i is defined as 
A(yi^o) MI) ^ MO). 

Definition 11. Abstracted CSA A = F] S \~ G at abstraction level i is defined 
as Ai{A) = F';Ai{S) h Ai{G), where F' = IJ Ai{c). 

At abstraction level 0 an original CSA is presented - Ao{A) = A. We write 
Fi and Li to denote respectively a set of CSCs and literals of a CSA Ai{A). 

Definition 12. Serialised proof fragment (SPF) is a sequence {Sq,Ci, S\, . . . , 
Cn,Sn) starting with a state Sq and ending with a state Sn- Between every 
two states there is a CSC Ci,i = l...n such that Si-i is the state where Ci 
was applied with a PD rule and the state Si is the result achieved by applying 
Ci- Whenever a compact representation of a SPF is required, we shall write 
(Ci,...,C„). 

Definition 13. Partial proof is a pair {H,T), where both H and T are SPFs 
with the first element of H being the initial state and the last element of T 
respectively the goal state. Initially the partial proof has only one element in both 
H and T - the initial state in H and the goal state in T. 



The proof is extended in the following way. PD forward step can be applied 
only to the last element of H. Symmetrically, PD backward step can be applied 
only to the first element of T. In the former case the applied CSC and a new 
state are inserted to the end of H. In the latter case the new state and the 
applied CSC are inserted to the beginning of T. 

Definition 14. Complete proof is a partial proof with the last element of H and 
the first element of T being equal. 

If there is no need to distinguish partial and complete proofs, we write just 
proof. 
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Definition 15. New CSCs at abstraction level n are defined with = C\ \ 

(C, G r) A {An+l{Ci) =h 1 ^ 1) A (An(a) ^ Au+l(Ci))- 

Definition 16. SPF s = {Ci , Cn), Cj G F, j = ^ - n at abstraction level i 

is defined as .4i(s) = {Cj | 0 < j < |s|, Cj G Fi). 

Basically it means that at abstraction level i in a partial proof s only these 
CSCs are allowed, which exist in the abstracted CSA at abstraction level i. Other 
CSCs are just discarded. Opposite operation to abstraction is refinement. 

Definition 17. Refinement TZ[., k > I of a SPF s = {C\, . . . , C„), Cj G F,j = 
1 . . . n from abstraction level k to abstraction level I is defined as a sequence 
N\{s) = (oo) Ci,ai, . . . an-i,Cn, an), where ai,i = 0 . . .n is a sequence of CSCs 

i 

from A G U Fi. 

i=k—l 

This means that during refinement only new CSCs at particular abstraction 
level may be inserted to partial proofs. In the following we write TZ^ instead of 



3 Generating Abstraction Hierarchies 

In this section we describe how to construct abstraction hierarchies for CSAs. 
These hierarchies are later used to gradually refine an abstract solution dur- 
ing PD. The abstraction method, we propose here, has been inspired from an 
abstraction method [7] from the field of AI planning. 

Given a problem space, which consists of a CSA, our algorithm reformulates 
the original problem into more abstract ones. The main effect of abstraction 
is the elimination of inessential program clauses at every abstraction level and 
thus the division of the original search space into smaller, sequentially searchable 
ones. The original problem represents the lowest abstraction level. 

Ordered monotonicity property is used as the basis for generating abstraction 
hierarchies. This property captures the idea that if an abstract solution is refined, 
the structure of the abstract solution should be maintained. Hence elements in 
the proof fragments of a proof, would not be reordered while extending this 
sequence at abstraction level i — 1. The process of refining an abstract solution 
requires the application of additional CSCs to achieve the literals ignored at 
more abstract levels. 

Definition 18. Ordered monotonic refinement TZ is a refinement of an abstract 
solution s so that Ai{TZ\ (s)) = s,j ^ A where s is a proof fragment, i denotes the 
abstraction level, where s was constructed and j is the target abstraction level. 

Definition 19. Ordered monotonic hierarchy is an abstraction hierarchy with 
the property that for every solvable problem there exists an abstract solution that 
has a sequence of ordered monotonic refinements into the base space. 
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Definition 20. Let A and B be arbitrary vertices in a directed graph. Then we 
say that they are strongly connected, if there exists a cycle with A as its initial 
and final vertex such that this cycle includes Venice B. 

An ordered monotonic abstraction hierarchy is constructed by dividing lit- 
erals a CSA between abstraction levels such that the literals at level i do not 
interact with literals at level i+ 1. We say that places A and B do not interact 
with each other, if they are not strongly connected in the constraint graph of the 
particular CSA. Therefore, the ordered monotonicity property guarantees that 
the goals and subgoals arising during the process of refining an abstract solution 
will not interact with the conditions already achieved at more abstract levels. 
This sort of abstraction is considered as Theorem Increasing in [4], stating that 
if a theorem is not provable in an abstract space, it neither is in the base space. 



Algorithm DetermineConstraints{graph, F, G) 

inputs: a set of CSCs F and a goal state G 

output: constraints, which guarantee ordered monotonicity 

begin 

for W literal £ G 

if not{GonstraintsDetermined{literal, graph)) then 
GonstraintsDetermined{literal , graph) <— true 
for Vcsc G F 

if literal G succ(csc) then 
for VZ G succ(csc) 

AddDirectedEdge{literal, I, graph) 
end for 

for V/ G ant{csc) 

AddDirectedEdge {literal, I, graph) 
end for 

DetermineGonstraints {graph, F, ant{csc)) 
end if 
end for 
end if 
end for 
return graph 
end DetermineGonstraints 

Fig. 1. Building a constraint graph. 

Our algorithm first generates a graph representing dependencies (see Fig. 1) 
between literals in a CSA, and then, by using that graph, finally generates an 
ordered monotonic abstraction hierarchy (see Fig. 2). 

Antecedents of CSCs if form K ^ \ (where A" is a multiplicative conjunction 
of literals), are inserted as they occur in the goal state because they, although 
possibly needed for achieving the goal, contain possibly literals not included in 
the constraint graph. The latter is due to the fact that the constraint graph is 
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Algorithm CreateHierarchy {F , G) 

inputs: a set of CSCs F and a goal state G 
output: an ordered monotonic abstraction hierarchy 

begin 

graph <— DetermineGonstraints{{}, F , G) 

components ^ FindStronglyConnectedGomponents {graph) 

partialOrder ^ ConstructReducedGraph{graph, components) 

absFtierarchy <— TopologicalSort {partialOrder) 

return absHierarchy 

end GreateHierarchy 



Fig. 2. Creating an abstraction hierarchy. 



extended by observing the succedents of CSCs and in the case it consists only of 
1, the CSC would not be considered. Anyway these CSCs may be needed during 
reasoning. 



3.1 The Role of the Initial State 

While building a constraint graph for abstraction, dependencies between literals 
are detected. If it should happen that at least one literal I G S is not included in 
the constraint graph and it does not occur in the goal state G either, then there 
is no proof for the particular CSA. This applies iff there are no CSCs, which 
could consume literal 1 . 

Theorem 1. Given a CSA and a set of edges De of the constraint graph V, 
which was constructed for the CSA, and if 3l.{l G S A I ^ G A I ^ Dg AVc G 
r.{succ{c) yf 1), then there is no proof for the CSA. 

Proof. While finding dependencies between literals through constraint graph 
construction, roughly a way for literal propagation is estimated for reaching the 
goal G and literals on the way are inserted to the graph. Therefore, if not all 
literals I G S are included in the constraint graph, then there is no way to find 
a proof for T; S' h G. 

Anyway, some literals in the initial state S may be not engaged during PD 
and thus they exist in both states S and G. In that case the missing literal from 
a constraint graph does not indicate that the state G is not reachable. Similarly, 
CSCs C with succ{C) = 1 have to be considered, since they only consume literals 
and therefore are rejected, when generating a constraint graph. 

This case is illustrated in Fig. 3(b), where a constraint graph is generated for 
CSA T; A (g) i? (g) G h F'. As it can be seen in Fig. 3(b) the literal B, although 
being in the state S, is not included in the constraint graph. The same applies 
for literal A. Therefore the CSA has no proof. 
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E 
(a) 

Fig. 3. r (a), constraint graph for CSA E-, A ® B ® C \~ F (b), and constraint graph 
for CSA B; A ® C h B ® (c). 

3.2 Removing Redundant CSCs 

After the possibly required literals have been determined, we can throw away all 
CSCs, which include at least one literal which is not included in the constraint 
graph. In that way the search space would be pruned and search made more 
efficient. Provability of a particular CSA would not be affected by removing 
these CSCs. 

Theorem 2. Given a CSA and a set of edges of the constraint graph V, 
which was constructed for the CSA, we can discard all CSCs c € F, which 
satisfy condition 31. {{I € succ(c) V I € ant(c)) A I ^ De /\ succ(c) ^ 0) without 
affecting the provability of the CSA. 

Proof. If there is a CSC c G B of a CSA such that 31. {{I G ant{c) V I G 
succ(c)) A I ^ Dg), then it means that c was not considered during construction 
of constraint graph T>. Therefore c is not considered relevant for finding a proof 
for the particular CSA and can be discarded. 

CSC reduction is illustrated in Fig. 3(c), where a constraint graph is gen- 
erated for CSA B; A (g) C h B (g) E^. Since literals B and D are not present in 
the constraint graph, they are considered irrelevant for PD. Therefore all CSCs 
c such that B G ant{c) or B> G ant{c) or B € succ(c) or B> G succ(c) can be 
removed without affecting the provability result of the original problem. Hence 
\- B ^ C ^ D can be removed from B. 

3.3 The Computational Complexity 

of Constructing Abstraction Hierarchies 

According to [7] the complexity of building the constraint graph is 0{n* o *1), 
where n is the number of different literals in a CSC, o is the maximum number 
of CSCs relevant for achieving any given literal, and I is the total number of 
different literals in succedents of relevant CSCs. Building a hierarchy is also 
0{n * 0 * 1 ) since the number of edges in the graph is bounded by n * o * / and 
the complexity of the graph algorithms used is linear. 

4 PD with Abstraction Hierarchies 

To prove hierarchically, sequents are first mapped to the highest level of ab- 
straction. This is done by substituting literals, not essential at that abstraction 
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level, in the initial theorem to be proved by the unit of 0, which is 1. In this 
way corresponding abstracted initial and final states are formed. Analogously 
we substitute literals in CSCs to form a set of abstracted CSCs. 

Due to ordered monotonicity at every level of abstraction only new CSCs 
can be inserted into a proof, because the old ones have already been placed at 
their respective positions in the proof, if they were needed. By permitting only 
newly introduced CSCs at each level the branching factor of proof search space 
is decreased. 

Every proof found at an higher abstraction level may generate a sequence 
of subgoals for a lower level abstraction, if literals have been restored to CSCs 
used in these proofs. Thus, through using abstraction, also the distance between 
subgoal states is reduced. While extending a proof with new CSCs at particular 
abstraction level, gaps in a proof are filled. The gaps were introduced by moving 
to the lower abstraction level. The high-level algorithm for theorem proving with 
abstraction is presented in Fig. 4. 



Algorithm AbstractProver{S , G,Ti., F) 

inputs: the initial and the goal state, an abstraction hierarchy, F 

output: P //a set of valid proofs 

begin 

level <— highestLevel (hierarchy) 
proof ^ {} 
absinit ^ Aievei(S) 
absGoal ^ Aievei(G) 

P ^ Solve(absInit, proof , absGoal, Pififfi) 
for / <— level — 1 to 0 

P2^{} 

for \/p £ P 

absinit <— Ai (S) 
absGoal ^ Ai(G) 

P 2 ^ P 2 G ExtendProof (0 , absinit, absGoal, p, , 1) 
end for 

P^P2 

end for 

return P 

end AbstractProver 

Fig. 4. A pseudocode for theorem proving with abstraction. 

AbstractProver goes incrementally through all abstraction levels starting 
from the highest and ending at the base abstraction level. At every abstrac- 
tion level it computes a set of abstract proofs, which are refined at lower levels 
until a proof has been computed or it is determined that there is no solution for 
a particular CSA. 

The main operation of algorithm ExtendProof is to detect and fill gaps in 
proofs when refining them. The complexity of the algorithm AbstractProver to- 
gether with the ExtendProof depends on the number of abstraction levels In, on 
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the serialised proof length Ip (only CSCs Ci,i = 1 . . . n used there are counted) 
and on the number of CSCs in F , which is denoted with la- 

An abstract proof, found at an abstraction level higher than 0 may be viewed 
as a sequence including “gaps”, which have to be filled at a lower level of ab- 
straction. It has to be emphasised that at one abstraction level several solutions 
may be found and not all of these, if any, lead to a solution at less abstract 
levels. Thus several abstract solutions may have to be refined before a solution 
for a less abstract problem is found. 

Ordered monotonicity determines that while extending a proof s at a lower 
abstraction level, we can insert only new CSCs, whereas the CSCs which are 
already in s, determine new subgoals, which have to be solved at the lower ab- 
straction level. Thus in that way we reduce one monolithic PD problem into 
several smaller PD problems and thereby reduce the distance between subgoals. 
By dividing CSCs between different abstraction levels the branching factor of 
the search space is decreased. Following the former idea we define optimal ab- 
straction hierarchy as an abstraction hierarchy, where at each level exactly one 
new CSC is introduced and a CSA at the highest abstraction level has exactly 
one CSC. 

Definition 21. Optimal abstraction hierarchy Ho of a CSA is an abstraction 
hierarchy with n = |T| abstraction levels starting from level 0. Therefore, in Ho, 
\H \ {Fi n Ti+i)| = 1, i = 0 . . .n - 2 and |T„-i| = 1. 

Theorem 3. Given that an optimal abstraction hierarchy Ho is used, computa- 
tional complexity of PD problem with our algorithm is 0(|T| * |s|), where |T| is 
the number of CSC in a CSA and |s| is the expected length of the complete proof 
s. 

Proof. We define the exponential complexity of PD for HLL as l\‘ , since it could 
be modeled through Petri net reachability checking. It in the preceding is the 
number of CSC in F and C = |s| is the length of a complete proof s. Since 
at the lowest abstraction level of Ho we have C CSCs in the sequence s, there 
are at every abstraction level maximally C gaps, which have to be filled. By 
assuming that there are Ih abstraction levels in Ho, the resulting complexity 
is 0{lh * Is * {lt/lhY‘). Since we assumed the usage of an optimal abstraction 
hierarchy (It = Ih), the exponential complexity of PD is reduced to 0{lh * Is * 
iL) = 0{lh * Is), which is polynomial. 

Some restrictions to CSAs, to achieve an optimal abstraction hierarchy, are 
summarised with the following proposition and theorem. 

Proposition 1. There are no strongly connected literals in a constraint graph 
of a CSA, if (1) Ml G L.(| {c | c G T A / G succ{c)} |< 1) A (| {c | c G T A / G 
ant{c)} |< 1) and (2) Vc G F.{S{succ{c)) < 1) A (5(ant(c)) < 1). 

Proof. One can easily see that if the preconditions (1) and (2) are satisfied, a tree 
with branching factor 1 is constructed during dependency graph construction. 
Therefore there are no strongly connected components. 
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Theorem 4. If the preconditions of Proposition 1 are satisfied, then our algo- 
rithm in Fig. 2 gives us an optimal abstraction hierarchy. 

Proof. The proof follows from Proposition 1 and Definition 21. 

The last theorem identifies that in order to take advantage of optimal ab- 
straction hierarchies, we have to constrain heavily the CSCs in a CSA. However, 
even if an optimal abstraction hierarchy is not constructed for a CSA, the non- 
optimal one may still help to reduce the complexity of PD. 

5 An Abstraction Example 

In order to demonstrate PD with abstraction, let us consider the following CSA: 

CSAo ::= A (g) M (g) X^&{E (g) iV ^ ^ E 1 M)(g)!(M ^ iV)(g) 

(g)!(/^ ^ F)(g)!(F (g) A ^ ^ A^) h A (g) M (g) 

The corresponding constraint graph, achieved by using the algorithm in 
Fig. 1, is presented in Fig. 5(a). A directed edge from node A to node B in the 
graph indicates that A cannot occur lower in the abstraction hierarchy than B. 




IMNEH<^ F XY 

(b) 



Fig. 5. The constraint graph (a) and the abstraction hierarchy derived from it (b). 



One corresponding abstraction hierarchy derived from the graph presented in 
Fig. 5(a) is depicted in Fig. 5(b). Using this abstraction hierarchy, we introduce 2 
new abstracted CSAs CSA\ and CSA2 for abstraction levels 1 and 2 respectively: 

CSAi ::= A3(g!(y2 <g) ^ X^)(^\{F (g) A ^ r2)0!(l ^ A) h A^ 

CSA2 ::= A^(g!(y2 <g) ^ A^)(g)!(A ^ F^) h A^ 

The literals and CSCs available at different abstraction levels are represented 
in Table 1. The value “ — ” there represents that a CSC was abstracted to F 1 ^ 1 
and was thus then discarded, because this axiom is already included in HLL. 

In Table I the CSCs at abstraction level 2 are obtained by substituting all 
literals except A and Y with constant 1. For instance, \~ H ^A(g)/(g)Mis first 
abstracted toF l(g)I(g)l, because literals H, E, I and M are not allowed at 
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abstraction level 2. Since the abstracted CSC is basically equivalent to h 1 ^ 1, 
it is discarded at this abstraction level. Analogously in the CSCs at abstraction 
level 1 only literals F, X and Y are permitted. Finally at abstraction level 0 all 
literals are allowed, because it is the lowest level of abstraction in the particular 
abstraction hierarchy. 



Table 1. An abstraction hierarchy. 





Level 0 


Level 1 


Level 2 


Literals 


I, E, M, H, N, F, X, Y 


F,X,Y 


A,y 


CSCi 


h E®N H 


— 


— 


CSC2 


\-H-< 3 E®I®M 


— 


— 


CSCs 


M -0 N 


— 


— 


CSC4 


\- F F 


h 1 -0 F 


— 


CSCs 


F®X ^Y'^ 


F®X ^Y'^ 


\- X -oY '^ 


CSCe 


\- Y'^ ® X'^ ^ X'^ 


\- Y'^ ® X'^ ^ X'^ 


\- Y'^ ® X'^ ^ X'^ 


S^G 


E ® M ® X-^ \- E ® M ® X'^ 




Jc^Tlc^ 



We start PD from level 2 (the highest abstraction level) by finding a proof for 
CSA 2 - The resulting complete proof (head H and tail T are not distinguished) 
is represented as: 

(X3, CSC^,X^ (g) V^, CSCe, X^}. 

Now, when moving from abstraction level 2 to level 1, although the CSA 
to be proved would remain the same, the representation of CSC 5 has changed. 
Thus this part of the proof has to be extended. Therefore the resulting proof for 
X 3 |_ abstraction level 1 is in serialised form: 

{X^, CSC 4 , x^ (g) F, CSC 5 , X‘^(g)Y‘^, CSCe, X^). 

At abstraction level 0, in the original problem space, only CSCs CSC\, CSC 2 
and CSC 3 are new and may be used to extend the partial proof obtained at 
abstraction level 1 to prove the initial problem E ® M ® X^ \- E ® M ® X'^. 
Thus the complete proof at abstraction level 0 would be: 

{E®M®X^,Vf,E®M®X^® l\ CSC 4 , E ® M ® X^ ® F, CSC 5 , 

,E®M®X‘^®Y^, CSCe, E®M® X"^), 

where 

Vf = {CSC 3 ,E®N®X^®F, CSCi,H®X^®r, CSC 2 ,E®M®X^®r+^y , 
where in turn f = 0 . . . 6 denotes the iteration index. 



6 Related Work and Conclusions 

The first explicit use of abstraction in automated deduction was in the planning 
version of GPS [13]. ABSTRIPS [16] was the first system that attempted to 
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automate the formation of abstraction spaces, but only partially automated the 
process. Besides, ABSTRIPS produced only relaxed models [6], by abstracting 
away literals in preconditions, thus the problem space was not abstracted at all. 
However, the algorithm, we apply here, produces reduced models, where literals 
are abstracted away at particular abstraction level from all formulae. Other 
approaches to automatic construction of abstraction spaces include [1, 2, 12]. 

In this paper we presented a method to apply abstractions to PD problems 
by using information about dependencies between literals. Then through hierar- 
chical PD the complexity of overall theorem proving would be decreased. 

If an abstract space is formed by dropping conditions from the original prob- 
lem space as we did, information is lost and axioms in the abstract space can 
be applied in situations in which they cannot be applied in the original space. 
Thus, using an abstraction space formed by dropping information, it is difficult 
to guarantee that if there exists an abstract solution, there exists also a solution 
in the base space. This problem is called the false proof problem [14,4]. 

Acknowledgements 

This work is partially supported by the Norwegian Research Foundation in the 
framework of Information and Communication Technology (IKT-2010) program 
- the ADIS project. I would like to thank the anonymous referees for their 
constructive comments and suggestions. 



References 

1. J. S. Anderson and A. M. Farley. Plan abstraction based on operator generalization. 
In Proceedings of the Seventh National Conference on Artifieial Intelligence, Saint 
Paul, MN, 1988, pages 100-104, 1988. 

2. J. Christensen. Automatic Abstraction in Planning. PhD thesis, Department of 
Computer Science, Stanford University, 1991. 

3. J.-Y. Girard. Linear logic. Theoretical Computer Science, 50:1-102, 1987. 

4. F. Giunchiglia and T. Walsh. A theory of abstraction. Artificial Intelligence, 
57:323-389, 1992. 

5. M. I. Kanovich. Linear logic as a logic of computations. Annals of Pure and Applied 
Logic, 67:183-212, 1994. 

6. G. A. Knoblock. An analysis of ABSTRIPS. In J. Hendler, editor. Proceedings 
of the First International Conferenee on Artifieial Intelligence Planning Systems 
(AIPS’92), College Park, Maryland, June 15-17, 1992, pages 126-135, 1992. 

7. C. A. Knoblock. Automatically generating abstractions for planning. Artificial In- 
telligence, 68:243-302, 1994. 

8. J. Komorowski. A Specifieation of An Abstract Prolog Machine and Its Applica- 
tion to Partial Evaluation. PhD thesis. Department of Gomputer and Information 
Science, Linkoping University, Linkoping, Sweden, 1981. 

9. R. E. Korf. Planning as search: A quantitative approach. Artificial Intelligence, 
33:65-88, 1987. 




Abstraction Within Partial Deduction for Linear Logic 



65 



10. P. Kiingas and M. Matskin. Linear logic, partial dednction and cooperative problem 
solving. In Proceedings of the First International Workshop on Declarative Agent 
Languages and Technologies (in conjunction with AAMAS 2003), DALT’2003, 
Melbourne, Australia, July 15, 2003, volume 2990 of Lecture Notes in Artificial 
Intelligence. Springer- Verlag, 2004. 

11. P. Kiingas and M. Matskin. Partial dednction for linear logic - the symbolic negoti- 
ation perspective. In Proceedings of the Second International Workshop on Declar- 
ative Agent Languages and Technologies (in conjunction with AAMAS 200 j), 
DALT’2004, New York, USA, July 19, 200). Springer- Verlag, 2004. To appear. 

12. A. Y. Levy. Creating abstractions using relevance reasoning. In Proceedings of the 
Twelfth National Conference on Artificial Intelligence (AAAI’94), pages 588-594, 
1994. 

13. A. Newell and H. A. Simon. Human Problem Solving. Prentice-Hall, 1972. 

14. D. A. Plaisted. Theorem proving with abstraction. Artificial Intelligence, 16:47- 
108, 1981. 

15. D. Ruby and D. Kibler. Learning subgoal sequences for planning. In Proceedings of 
the Eleventh International Joint Conference on Artificial Intelligence (IJCAI’89), 
Detroit, Michigan, USA, 20-25 August, 1989, volume 1, pages 609-614, 1989. 

16. E. D. Sacerdoti. Planning in a hierarchy of abstraction spaces. Artificial Intelli- 
gence, 5:115-135, 1974. 




A Decision Procedure for Equality Logic 
with Uninterpreted Functions 



Olga Tveretina 

Department of Computer Science, TU Eindhoven, P.O. Box 513 
5600 MB Eindhoven, The Netherlands 
o . tveret inaOtue . nl 



Abstract. The equality logic with uninterpreted functions (EUF) has 
been proposed for processor verification. A procedure for proving satis- 
fiability of formulas in this logic is introduced. Since it is based on the 
DPLL method, the procedure can adopt its heuristics. Therefore the pro- 
cedure can be used as a basis for efficient implementations of satisfiability 
checkers for EUF. A part of the introduced method is a technique for 
reducing the size of formulas, which can also be used as a preprocessing 
step in other approaches for checking satisfiability of EUF formulas. 

Keywords: equality logic with uninterpreted functions, satisfiability, 
DPLL procedure. 



1 Introduction 

The equality logic with uninterpreted functions (EUF) has been proposed for 
verifying hardware [4] . This type of logic is mainly used for proving the equiva- 
lence between systems. When verifying the equivalence between two formulas it 
is often possible to eliminate functions replacing them with uninterpreted func- 
tions. The abstraction process does not preserve validity and may transform a 
valid formula into the invalid formula. However, in some application domains 
the process of abstraction is justified. 

An EUF formula is a Boolean formula over atoms that are equalities between 
terms. In this logic, formulas have truth values while terms have values from some 
domain. For example, the formula: 

f{x) 9 ^ f{z) Ax Ki y Ay Ki z 

is unsatisfiable. 

Here we write for equality rather than ‘=’ to avoid confusion with other 
applications of the symbol ‘=’, and we use the notation s 96 t as an abbreviation 
of ^(s « t). 

In the past years, various procedures for checking the satisfiability of such 
formulas have been suggested. Barrett et al. [2] proposed a decision procedure 
based on computing congruence closure in combination with case splitting. 

In [I] Ackermann showed that the problem of deciding the validity of an 
EUF formula can be reduced to checking the satisfiability of the equality for- 
mula. Many current approaches [6,3] use a transformation of EUF formulas into 
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function- free formulas of the equality logic. Then the equality logic formula can 
be transformed into a propositional one and a standard satisfiability checker 
can be applied. Goel et al. [6] and Bryant et al. [3] reduced an equality formula 
to a propositional one by adding transitivity constraints. In this approach it is 
analyzed which transitivity properties may be relevant. 

A different approach is called range allocation [9,10]. In this approach a 
formula structure is analyzed to define a small domain for each variable. Then 
a standard BDD-based tool is used to check satisfiability of the formula under 
the domain. 

Another approach is given in [7]. This approach is based on BDD compu- 
tation, with some extra rules for dealing with transitivity. Unfortunately, the 
unicity of the reduced BDDs is lost. 

In this paper an approach based on the Davis-Putnam-Logemann-Loveland 
procedure (DPLL) [5] is introduced. 

The DPLL procedure was introduced in the early 60s as a proof procedure for 
first-order logic. Nowadays, only its propositional logic core component is widely 
used in efficient provers. The success was a motivation for developing a DPLL- 
based procedure for the equality logic with uninterpreted functions. The main 
idea of the DPLL method is to choose an atom from the formula and proceed 
with two recursive calls: one obtained by assuming this atom and another by 
assuming the negation of the atom. The procedure terminates with the answer 
“unsatisfiable” if the empty clause is derived for all branches, and otherwise it 
returns “satisfiable” . 

The first technique based on the DPLL method for EUF is introduced in [8] . 
The proposed DPLL procedure calls the congruence closure module for positive 
equations. 

In this paper the different procedure based on the DPLL method is proposed. 
The main problem dealt with in the paper is: given an EUF formula, decide 
whether it is satisfiable or not. Similar to the propositional logic every EUF 
formula can be transformed into an EUF formula in conjunctive normal form 
(CNF) such that the original formula is satisfiable if and only if the CNF is 
satisfiable. Hence we may, and shall, concentrate on satisfiability of a formula in 
conjunctive normal form. The idea of UIF-DPLL is to split a literal that occurs 
in purely positive clauses of length more than one, and to apply the reduction 
rules. 

This paper is organized as follows. In Section 2 basic definitions are given. In 
Section 3 the DPLL method is described. The UIF-DPLL calculus is presented in 
Section 4. In Section 5 the UIF-DPLL procedure is introduced and a proof of its 
soundness and completeness is given. The technique for reducing the size of a 
formula and an optimized procedure are presented in Section 6. Some concluding 
remarks are in Section 7. 

2 Basic Definitions and Preliminaries 

Each EUF formula can be straightforwardly converted into an equivalent CNF 
in the same manner as in propositional logic. The well-known Tseitin transfer- 
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mation [12] transforms an arbitrary propositional formula into a CNF in such a 
way that the original formula is satisfiable if and only if the CNF is satisfiable. 
Both the size of the resulting CNF and the complexity of the transformation 
procedure is linear in the size of the original formula. In this transformation new 
propositional variables are introduced. So applying it directly to EUF formulas 
will yield a CNF in which the atoms are both equalities and propositional vari- 
ables. However, if we have n propositional variables pi, . . . we can introduce 
n -I- 1 fresh variables a;, j/i, . . . and replace every propositional variable pi by 
the equality a: « In this way satisfiability is easily seen to be maintained. 
Hence we may and shall restrict to the satisfiability of CNFs. 

2.1 Syntax 

Let S = (Fun, «) be a signature, where Fun = {f, g, h, . . .} is a, set of function 
symbols. 

For every function symbol its arity is defined, being a non-negative integer. 
We assume a set Var = {x,y,z, . . .} of variables. The sets Var and Fun are 
pairwise disjoint. 

The set Term of terms is inductively defined as follows. 

• X G Var is a term, 

• ffti, . . . ,tn) is a term if ti, . . . are terms, and / G Fun. 

Symbols s,t,M denote terms. 

A subterm of a term t is called proper if it is distinct from t. The set of 
subterms of a term t is denoted by SubTerm(t). The set of proper subterms of a 
term t is denoted by SubTermp(t). 

The depth of a term t is denoted by depth (t) and inductively defined as 
follows. 

— depth(a;) = 1 if a; G Var, 

- depth(/(ti, . . . ,t„)) = 1 -F max(depth(ti, . . . ,f„)). 

An atom a is an equality of the form s « t, where s,t G Term. We consider 
s « t and t « s as the same atom. The set of atoms over the signature S is 
denoted by At(A', Var) or for simplicity by At . 

A literal I is an atom or a negated atom. We say that I is a positive literal 
if it is coincides with some atom A, otherwise it is called a negative literal. The 
set of all literals over the signature S is denoted by Lit(A,Var) or if it is not 
relevant by Lit. By t ixi s is denoted either a literal t « s or a literal t ^ s. 

A clause C is a set of literals. The number of literals in a clause is called 
the length of the clause. The clause of length 0 is called the empty clause, and 
it is denoted by T. A non-empty clause C is called positive if it contains only 
positive literals, otherwise it is called negative. The set of clauses is denoted by 
CIs. A clause is called unit if it contains only one literal. 

A formula (p is a set of clauses. The set of formulas is denoted by Cnf. 
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The set of positive clauses of length more than one contained in (j) is called 
the core of (j), and it is denoted by Core((/)). 

In a CNF <j) let 

— Var(^) be the set of all constants in (j), 

— At((/>) be the set of all atoms in <j), 

— Lit((/>) be the set of all literals in (f>, 

— MLit((}()) be the multiset of all literals contained in (j), 

— C\s{(p) be the set of all clauses in </>. 

We define Term((/)) = {t € Term | 3s G Term : (t cxi s) G Lit((/))}. 

SubTerm((/)) = Ut6Term(0) SubTerm(t). 



2.2 Semantics 

Let At be a set of atoms. 

We define an interpretation as a function 

I : At — > {true, false}. 

A literal I is true in I iff either I is an atom a and 1(a) = true or Hs a negated 

atom and 1(a) = false. We write I ^ if a literal I is true in I. 

We define an E-interpretation as one satisfying the following conditions. 

- \ \=tfv t] 

— if I ^ s « f then I |= f « s; 

— if I ^ s « M and I |= m « f then I |= s « f; 

- if I ^ Si « U for all i G (1, . . . ,n| then I |= /(si, . . . , s„) « /(fi, . . .,t„). 

We write I |= (() if a formula <p is true in I. 

Definition 1. A formula (j) is called satisfiable if\\=(j> for some E-interpretation I . 
Otherwise (f> is called unsatisfiable. 

By definition the empty clause T is unsatisfiable. 

We will use throughout the paper the following notations. 

Let s ^ SubTerm(f). Then (j>[t := s] denotes the formula that is obtained from 
(j) by substituting recursively all occurrences of the term t by the term s till no 
occurrences of t is left. 

Example 2. Let us consider (j) = {{f{f{x)) « y}, {x « g{y)}}- 
Then (j3[f{x) := x] = {{x « y}, (a; « g{y)}}- 

We define (j)\i = {C - {^l}\ CG<t),HC}. 

Example 3. Let us consider (f = {{x « f{y),z « g{z)}, {x ^ f{y),y ~ g{z)}}- 
Then = {{y « g{z)}}. 
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3 The DPLL Procedure 

The DPLL procedure is a decision procedure for CNF formulae in propositional 
logic, and it is the basis of some of the most successful propositional satisfiability 
solvers to date. This is the fastest known algorithm for satisfiability testing that 
is not just sound, but also complete. 

The basic DPLL procedure recursively implements the three rules: unit prop- 
agation, pure literal elimination and recursive splitting. 

• Unit propagation: Given a unit clause {^}, remove all clauses that contain the 
literal I, including the clause itself and delete all occurrences of the literal 
~^l from all other clauses. Moreover, the literal I is assigned to true. 

• Pure literals elimination: A pure literal is a literal that appears only in pos- 
itive or only in negative form. Eliminate all clauses containing pure literals. 
Moreover, each pure literal is assigned to true. 

• Splitting: Choose some literal I G Lit((/)). Now (p is unsatisfiable iff both 
(pU {{^}} and </)U {{^^}} are unsatisfiable. Selecting a literal for splitting is 
nondeterministic, so various heuristics can be employed. 

The algorithm starts with a set of clauses and simplifies the set of clauses 
simultaneously. The stopping cases are: 

• An empty set of clauses is satisfiable-in this case, the entire algorithm ter- 
minates with “satisfiable” . 

• A set containing an empty clause is not satisfiable-in this case, the algorithm 
backtracks and tries a different value for an instantiated variable. 

The DPLL procedure returns a satisfying assignment, if one exists. It can be 
extended to return all satisfying assignments. 

We have chosen the DPLL procedure to develop our procedure for the fol- 
lowing reasons. 

• DPLL is a simple and an efficient algorithm. 

• Many current state-of-the-art solvers are based on DPLL. 

• It can be extended to compute an interpretation. 



4 The UIF-DPLL Calculus 

UIF-DPLL can be used to decide the satisfiability of equality logic formulas with 
uninterpreted functions in conjunctive normal form. The main operations of the 
method are unit propagation /, unit propagation II, tautology atom removing, 
and splitting (recursive reduction to smaller problems). If the empty clause for 
all branches is derived then the procedure returns “unsatisfiable” . Otherwise it 
returns “satisfiable” . 

The rules of the UIF-DPLL calculus are depicted in Figure 1. 




A Decision Procedure for Equality Logic with Uninterpreted Functions 



71 



11- -1 {{a; « y}} L) d> .. > , / ,x 

Unit propagation I: li x,y € Var( 0 ) 



Unit propagation II: 



(f>[x ■- y] 

{{sgsf}}U(/> 

{{s « ■- s] 



if s,t G Term((^), t ^ SubTerm(s) 



Tautology atom removing: 



if (t « t) e At( 0 ) 



Splitting: 



if I £ Lit(Core((^)) 



Fig. 1. The rules of the UIF-DPLL calculus 



Definition 4. Unit propagation I, unit propagation II and tautology atom re- 
moving rules are called reduction rules. 

The set of reduction rules of the UIF-DPLL is terminating. We will prove it 
in Section 4 . 1 . 

Definition 5. A CNF (j) is called reduced if none of the reduction rules of 
UIF-DPLL calculus is applicable. 

4.1 Termination of the Set of Reduction Rules 

We will use the notation l±l for disjoint union, i.e., when we write 0 l±) t/; we are 
referring to the union (fC and also asserting that fl t/i = 0. 

Definition 6. A unit clause {s « t} is called a non-propagated clause in 4 >^ 
{{s « t}} if s,t £ Term(^). 

The set of all non-propagated clauses in (f> is denoted by NPCIs((/)). 

Example 1 . Let us consider the formula 

: Ml « f{xi,y\) A U2 « f{x2, 2/2) A 2; « g{ui,U2) A z 9^ g{f{xi,yi),f{x2, 2/2))- 
One can see that 

NPCIs(^(/)) = {{mi rs f{xi,yi)},{u2 « /(a;2, 2/2)}}- 



For each ip £ Cnf we define k{(j)) = |Term((/))| -L |MLit(</))|. 

Definition 8. We define a total order and a total order ^2 on CNFs as 
follows. 

(jXitp ifk{(j)) < k{-ip). 

(p ^2 Ip if NPCIs(^) < NPCIs(V'). 
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Lemma 9. (termination) Let (j) G Cnf. Then the set of reduction rules of the 
UIF-DPLL calculus is terminating. 

Proof. Let we have a CNF (j) and let after applying an arbitrary reduction rule 
of the UIF-DPLL calculus we obtained a CNF if. One can check that either 
NPCIs('0) < NPCIs(^) or k{tp) < k{(f>). Trivially, and ~<2 are well-founded 
orders on CNFs. We obtain that the set of reduction rules of the UIF-DPLL 
calculus is terminating. □ 



5 The UIF-DPLL Procedure 

In this section we introduce the UIF-DPLL procedure and prove its soundness 
and completeness. 

The algorithm is implemented by the function UIF-DPLL() in Figure 2. 

The UIF-DPLL procedure takes in input a EUF formula in conjunctive normal 
form and returns either “satisfiable” or “unsatisfiable” . It invokes the function 

REDUCE. 

REDUCE takes in input a CNF (j), applies the reduction rules of UIF-DPLL 
calculus till none of the rules is applicable, and returns a reduced CNF. 

The function REDUCE((/)) is not uniquely defined as we will show with an 
example. 

Example 10. Let us consider the formula 

f{b)}, {a « g{c)}, {f{b) « h{a, c)}}. 

We will apply unit propagation II rule on a « /(&). We can replace a with f{b). 
In this case we obtain 

<)' = {{a « f{b)}, {fib) « g{c)}, [fib) « hif{b),c)}}. 

The formula (f' is reduced. 

We can also replace /(6) with a. The result is the reduced formula 
(j)" = {{a « fib)}, {a « 5 (c)}, [a « /i(a, c)}}. 



The UIF-DPLL procedure is done recursively, according the following steps. 

• (pis replaced by a CNF REDUCE((/)) such that <p is satisfiable iff REDUCE((^) 
is satisfiable. 

• If T G (/), UIF-DPLL(())) returns “unsatisfiable”. 

• If Core((/)) = 0, where <p is reduced, then UIF-DPLL(())) returns “satisfiable”. 

• If none of the above situations occurs, then ChooseLiteral(Core((/>)) returns a 
literal which occurs in Core(</>) according some heuristic criterion. 
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UIF-DPLL(0) : 
begin 

cf) ■- REDUCE(0); 
if (A e <^) 

return “unsatisfiable” ; 
if (Core(0) = 0) 

return “satisfiable” ; 

I ChooseLiteral(Core(0)); 
if (UIF-DPLL(0U {{/}}) is “satisfiable”) 
return “satisfiable”; 

else 

return UIF-DPLL(()) U {{-n?}}); 



Fig. 2. The UIF-DPLLprocedure 



Example 11 . As am example we consider the formula raised during translation 
validation [ 9 ] , where concrete functions replaced by uninterpreted function sym- 
bols. 



00 : {{ui « /(a:i, yi)}, {m2 « f{x2, ^2)}, {z ~ g{ui,U2)}, 
{z^9ifixi,yi)J{x2,y2))}}- 

After applying the unit propagation II rule, we obtain 

01 = {{ui « f{xi,yi)},{u2 « f{x2,y2)},{z « 5 (^ 1 , M 2 )}, 

{z 9^ g{ui,f{x2,y2))}}, 

02 = {{mi « /(a;i, yi)|, {m 2 « /(a;2, ^2)}, {z « 5(mi, M2)}, {z 96 y(Mi, M2)}}, 

03 = {{mi « /(xi,yi)},{M2 « f{x2,y2)},{z « 5(mi,M2)},{z 76 z}}. 

After applying tautology atom removing rule, we obtain 

04 = {{mi « /(a;i,yi)},{M2 « f{x2,y2)},{z « 5 (mi, M2)}, A}. 

Since A G 04 then 04 is unsatisfiable and therefore 0 o is unsatisfiable. 



5.1 Satisfiability Criterion 

Let 0 be a reduced CNF not containing the empty clause; Core(0) = 0 . We will 
give a proof that such CNF 0 is satisfiable. 

Let 0 be a reduced CNF and Core(0) = 0 . Since Core(0) = 0 then every clause 
of length more than one contains at least one negative literal. Let ip G Cnf is 
obtained from 0 by removing from all clauses of length more than one all literals 
except one negative literal. Then, trivially, if I |= 0 for some E-interpretation I 
then I 1 = 0, i.e. 0 is satisfiable if ip is satisfiable. It means that w.l.o.g. we can 
restrict ourself to the case when 0 contains only unit clauses. 
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The set of CNFs containing only unit clauses is denoted by UCnf. 

At first we introduce two binary relations on the set of terms contained in (j). 

Definition 12. Let (j) G UCnf. The binary relation is the smallest relation 
over Term((^) x Term(0) such that: 

1. s t, if {s « f} G 4 >. 

2. ^tj, is reflexive, symmetric, and transitive. 

Definition 13. The binary relation is the smallest relation over SubTerm((/)) 
X SubTerm((/)) such that: 

1. s =0 t, if {s Kit} G (j). 

2. /(si,...,s„) =0 f{ti,...,tn), if Si u , 1 < i < n, and f{si, s^), 
f{ti,...,tn) G SubTerm((/)). 

3. =0 is reflexive, symmetric, and transitive. 



Lemma 14. Let G UCnf be reduced. Then for each s,t G Term 

s t if and only if s t. 

Proof. (=^) Suppose s t. Then by Definitions 12 and 13, we obtain s t. 

(4=) Suppose s =0 t. By the lemma assumption ( f > is reduced. Then for each 
{s' « t'} G 4>j either s' ^ SubTerm(0\{{s' « t'}}) or t' ^ SubTerm((?i\{{s' « 
t'}}). We can conclude that the condition (2) never can be applied. Then s=^t 
implies s t. □ 

Lemma 15. Let (j) G UCnf be reduced. Lf (s 9^ f} G (j), where s,t G Term then 
s t. 

Proof. Let us consider arbitrary |s 96 t} G (f, where s,t G Term. We will prove 
by contradiction that s 9^0 t. 

Assume that |s 96 t} G ^ and s t. If s t then one of the following 
holds. 

— s = t. Then |s 96 s} G </). In this case a tautology atom removing rule can 
be applied. This contradicts that (f is reduced. 

-- there are uq, . . . , G Term((/)) such that s = uq, t = Un and 

juo « Ml}, |mi « M 2 }, . . . , |m„_i « M„} G 4 >. 

This also contradicts that (f is reduced. 

We can conclude that s 7^0 t. Then by Lemma 14, sf^rj,t. □ 

Theorem 16. Let 4> G UCnf. Then (f is unsatisfiable if and only if there exist 
s,t G Term((/>) such that 



|s 76 f} G (/> and s =,p t. 
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Proof. See [11]. 

Theorem 17. (Satisfiability criterion) Let (/) G Cnf such that 

— 4> is reduced, 

- 

— Core{(j)) = 0. 

Then (p is satisfiable. 

Proof. By the theorem assumption Core(0) = 0. Then every clause of length 
more than one contains at least one negative literal. Let if G Cnf is obtained 
from (j) by removing from all clauses of length more than one all literals except 
one negative literal. Obtained is reduced by construction. Since ip G UCnf 
and if is reduced then by Lemma 15 and Theorem 16, is satisfiable. If ip is 
satisfiable then I \= ip ioi some E-interpretation I. One can easily see, that I |= p, 
i.e. p is satisfiable. □ 

5.2 Soundness and Completeness of the UIF-DPLL Procedure 

In this section we will prove that the UIF-DPLL procedure is sound and com- 
plete. One can see that both rules for unit propagation and the tautology atoms 
removing preserve (un) satisfiability of a formula. 

Lemma 18. Let p G Cnf. Then p is satisfiable if and only if REDUCE((/)) is 
satisfiable. 

Proof. One can easily check that the rules of the UIF-DPLL calculus preserve 
(un)satisfiability. □ 

Theorem 19. {Soundness and Completeness) A CNF p is unsatisfiable if and 
only if the UIF-DPLL((/)) returns “unsatisfiable”. 

Proof. (=^) Let p be unsatisfiable CNF. 

Let J- G p. Then by definition of the function REDUCE(), _L G REDUCE((/)), 
and the procedure returns “unsatisfiable” . 

Let -L ^ p. We will give a proof by induction on |MLit(Core((/)))|. 

Base case. |MLit(Core((/)))| = 0. Then one of the following holds. 

— _L G REDUCE((/)). Then the procedure returns “unsatisfiable”. 

— _L ^ REDUCE((/)). Since |MLit(Core((?i))| = 0 then Core(REDUCE((/>)) = 0. 
By Theorem 17, we obtain that REDUCE((/>) is satisfiable. By Lemma 18, p 
is also satisfiable. We obtain a contradiction with the assumption that p is 
unsatisfiable. Then _L G REDUCE((/)) and the procedure returns “unsatisfi- 
able”. 

Inductive step. Let for every p G Cnf the procedure returns “unsatisfiable” if 
|MLit(Core(^/>))| < n. 

Assume that |MLit(Core((/)))| = n. We denote REDUCE((/)) by p. One can 
easily check that by definition of UIF-DPLL, for each I G Core{p) 
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|MLit(Core(REDUCE(V' A l)))\ < n, 
|MLit(Core(REDUCE(V' A -0))l < n. 



Since (p is unsatisfiable then by Lemma 18, ip is also unsatisfiable. Then for 
each I G Lit, i/> A I and ip A^l are unsatisfiable. By Lemma 18, REDUCE(f/) A 1) 
and REDUCE(f/) A ^l) are unsatisfiable. By induction hypothesis, the procedure 
returns “unsatisfiable” for REDUCE(f/) A /) and REDUCE(f/) A ^/). By definition 
of UIF-DPLL, the procedure returns “unsatisfiable” for (p. 

{<=) Let the procedure returns “unsatisfiable”. We will give a proof by in- 
duction on the number of UIF-DPLL calls. 

Base case. Let the procedure returns “unsatisfiable” after one call. Then 
T e REDUCE((/)). By Lemma 18, we obtain that p is unsatisfiable. 

Inductive step. Let p be unsatisfiable if UIF-DPLL(0) returns “unsatisfi- 
able” after at most n — 1 calls. Assume that UIF-DPLL((/)) returns “unsatisfi- 
able” after n calls. By definition of UIF-DPLL, UIF-DPLL(REDUCE(</>) A 1) and 
UIF-DPLL(REDUCE((/)) A ^/) returns “unsatisfiable” after at most n — 1 calls. 
Then by induction hypothesis, REDUCE((/>) A I and REDUCE(0) A ~^l are unsat- 
isfiable CNFs. We obtain that REDUCE((/)) is unsatisfiable. By Lemma 18, p is 
also unsatisfiable. □ 

6 The Extended UIF-DPLL Calculus 

In this section we will introduce an optimization technique which can be used 
as a preprocessing step. 

Definition 20. Let t G SubTerm((/)), depth(t) > 1 and for each s G SubTerrrip(t) 
and u G Term ((/)), (s « rt) ^ Lit((/>). Then t is called reducible in p. 

Example 21. Let us consider the formula from Example 11. 

^Po ■ ui « f{xi,yi)Au2 « f{x2,y2)Az « g{ui,U2)Az 9^ g(/(xi, yi), /(x2, 2/2))- 

The terms f{xi,yi) and f{x 2 ,y 2 ) are reducible. 

Definition 22. A variable x is called fresh in p if x ^ \Jzr{p). 



6.1 The Term Reduction Rule 

One may add one more rule to the UIF-DPLL calculus. 

Term Reduction: , , — i- if t is reducible and x is fresh in p 

p[t := x\ 

This rule can be applied as a preprocessing step. We will show it with an 
example. 
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Example 23. We consider the formula from Example 11. 

00 : Ml ~ f{xi,yi) A M2 « f{x2,V2) A z « g{ui,U2) ^zii g{f{xi,yi),f{x2,y2))- 

After applying the term reduction rule, we obtain 

01 : ui « A M 2 « U 2 A 2 « g{ui,U 2 ) ^z^ g(ui, U2), 

where a term f{xi,y\) is replaced by a fresh variable v\ and a term f{x 2 ,y 2 ) is 
replaced by a fresh variable V 2 - 

6.2 The Optimized UIF-DPLL Procedure 

The optimized UIF-DPLL procedure invokes the function REDUCE() which takes 
as an input a CNF 0 and returns a reduced CNF which is obtained by applying 
the unit propagation I rule, the unit propagation II rule, the tautology atom 
removing rule and the term reduction rule. 

Example 24- We consider the formula from Example 11. 

00 : Ml « f{xi,yi) A M2 « f{x2,V2) A 2 « g{ui,U2) ^zii g{f{xi,yi),f{x2,y2)). 

After applying the term reduction rule, we obtain 

01 : ui « A M2 « U2 A z « g{ui,U2) ^z^ g{vi,V2), 

where a term f{xi,y\) is replaced by a fresh variable v\ and a term f{x 2 ,y 2 ) is 
replaced by a fresh variable V 2 - 

After applying the unit propagation I rule, we obtain 

02 : M2 « W2 A z « g{ui,U2) ^z^ g{ui,V2), 

03 : z « g{ui,U2) ^z^ g{ui, 112), 

04 : z « 5( mi , M2) !\ z ^ z. 

After applying tautology atoms removing rule, we obtain 

ZKi g(Mi,M 2 ) A A. 



6.3 Soundness and Completeness of the Optimized Procedure 

In this section we will prove the soundness and completeness of the optimized 
procedure. An only difference the optimized UIF-DPLL comparing to the basic 
UIF-DPLL that it replaces all reducible terms by fresh variables. 



Theorem 25. Let t he reducible in 0; x he a fresh variable in 0. Then 0 is 
satisfiable iff (j>[t := x] is satisfiable. 
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Proof. (=^) Let 4> be satisfiable. Then I ^ for some E-interpretation I. Since t 
is a reducible term then by definition every proper subterm of t does not occur as 
a left side or a right side of any literal in Then during the UIF-DPLL procedure 
no subterm of t is replaced by another term. In this case at least for one branch 
of UIF-DPLL((/)) the CNF satisfying Theorem 17 conditions is derived, where no 
subterm of t is replaced by another term. It means that for at least one branch 
of UIF-DPLL((/)[t := x] the CNF satisfying Theorem 17 conditions is also derived. 
Then I |= 4>[t := x\. We can conclude that 4>[t := x] is satisfiable. 

(<^=) Let (j)[t := x] be satisfiable. Then I \= (j)[t := x] for some E-interpretation 
I. In this case at least for one branch of UIF-DPLL((/)[t := x]), the CNF satisfying 
Theorem 17 conditions is derived. Let us say, the CNF if. Then if[x := t] also 
satisfies the conditions of Theorem 17. Doing the backward substitution we ob- 
tain that at least for one branch of UIF-DPLL((/)) the CNF satisfying Theorem 
17 conditions is derived. Then I \= <f>. We can conclude that 4> is satisfiable. □ 

Theorem 26. {Soundness and Completeness) A CNF (f is unsatisfiable if and 
only if the optimized UIF-DPLL((/)) returns “unsatisfiable”. 

Proof. It follows from Theorem 19 and Theorem 25. 

□ 



7 Conclusions and Future Work 

We have presented a new approach for checking satisfiability of formulas in the 
EUF logic. A part of our method is a technique for reducing the size a formula 
that can be of interest itself. Our procedure can incorporate some optimization 
techniques developed by the SAT community for the DPLL method. We are 
going to implement our procedure and to compare it with existing techniques. 
We considered example, where after few steps we could prove the unsatisfiability 
of the formula. Traditional approach would lead at first to transformation of the 
formula to a propositional formula of bigger size and then applying a standard 
SAT checker. We can see from the considered example that our approach can 
be efficient for some formulas. Although at present we cannot make general 
conclusions about the efficiency of the procedure. 
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Abstract. We present a new method for generic quantifier elimination 
that uses an extension of Hermitian quantifier elimination. By means 
of sample computations we show that this generic Hermitian quantifier 
elimination is, for instance, an important method for automated theorem 
proving in geometry. 



1 Introduction 

Ever since quantifier elimination by CAD has been implemented by Collins [1], 
quantifier elimination has become more and more important. This was reinforced 
especially by the development and implementation of the partial CAD [2] by Hong 
and later Brown [3]. Beside the approach used there, quantifier elimination by 
virtual substitution was published by Weispfenning [4, 5] and further developed 
and implemented by the first author together with Sturm in redlog [6]. The 
latter method can only be applied to degree restricted formulas. Although both 
methods are implemented highly efficiently, none is superior to the other one. 
Moreover sometimes the methods fail solving problems which seem to be solvable 
using quantifier elimination. Therefore it is necessary to develop and implement 
further quantifier elimination algorithms. 

The quantifier elimination by real root counting was published by Weispfen- 
ning in 1998 [7], although he had already published in 1993 a technical report 
describing this method. The algorithm was first implemented by the first author 
in 1994 as a diploma thesis [8] in the computer algebra system MAS. Numer- 
ous new optimizations were developed by the authors. They were implemented 
by the second author [9] in a complete reimplementation of the method in the 
package redlog [6] of the computer algebra system reduce . The improved 
version of this quantifier elimination is called Hermitian quantifier elimination. 
The name “Hermitian” quantifier elimination was chosen to acknowledge the 
influence of Hermite’s work in the area of real root counting. 

Hermitian quantifier elimination has been proved to be a powerful tool for 
particular classes of elimination problems. In [10] the first author has used it for 
the automatic solution of a real algebraic implicitization problem by quantifier 
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elimination. For this automatic solution he has used all three quantifier elimina- 
tion methods, namely quantifier elimination by virtual substitution, Hermitian 
quantifier elimination, and quantifier elimination by partial cylindrical algebraic 
decomposition as well as the simplification methods described in [11]. 

The definition, development and implementation of new paradigms related to 
quantifier elimination algorithms have been very successful in the past. Extended 
quantifier elimination provides not only an equivalent formula but sample solu- 
tions. It can be applied e.g. in the area of generalized constraint solving yielding 
optimal solutions [12]. 

Generic quantifier elimination was introduced for the virtual substitution 
method by the first author together with Sturm and Weispfenning [13]. Let (p be 
an input formula with quantified variables x\, ... ,Xn and parameters u\, ... , Um. 
Recall that regular quantifier elimination computes from ip a quantifier-free for- 
mula p' such that for all real values ci, . . . , Cm for the parameters ui, . . . , Um 
both p and p' are equivalent, i.e we have p{ci , . . . , Cm) < — > p'{ci , . . . , Cm). In 
the case of generic quantifier elimination we compute additionally a conjunction 
0 of non-trivial negated-equations, such that 

0 — > {p < — > p). 

In other words, 0 restricts the parameter space. Note that 0 cannot become 
inconsistent, and moreover, the complement of the set described by 0 has a lower 
dimension than the complete parameter space. Thus it restricts our parameter 
space only slightly. 

The idea behind the generic quantifier elimination is to add assumptions to 
0 whenever this may either speed up the computation or may cause the algo- 
rithm to produce a shorter result formula p' . The paradigm of generic quantifier 
elimination was introduced in [13] in the area of automated geometry proving. 
The key idea here is to express a geometric theorem as a quantified formula 
and then verify it by quantifier elimination. Regular quantifier elimination may 
fail due to lack of resources or if the theorem does not hold. In the latter case 
it may be false only for some degenerated situations, as for empty triangles 
or rectangles instead of arbitrary triangles. Generic quantifier elimination is in 
this area superior to the regular one for two reasons: The computations are in 
general much faster and the assumptions made in 0 may exclude degenerated 
situations in which the theorem is false. In the above cited paper, which is based 
on quantifier elimination by virtual substitution, it was heuristically shown that 
for this generic quantifier elimination in fact 0 contains mostly non-degeneracy 
conditions. 

Meanwhile, using a generic projection operator, the concept of generic quan- 
tifier elimination was also successfully applied to quantifier elimination by partial 
cylindrical algebraic decomposition [14]. Seidl and Sturm study the general ap- 
plicability of generic quantifier elimination in contrast to the regular one. As for 
regular quantifier elimination by cylindrical algebraic decomposition, this ap- 
proach is successful mostly for problems containing only a few variables. This 
restricts the applicability of the generic projection operator to the area of auto- 
mated theorem proving. 
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In this note we introduce a generic variant of Hermitian quantifier elimination 
and apply it in the area of automated theorem proving. This generic quantifier 
elimination is not degree restricted as the method based on virtual substitution, 
and it can handle in general, more variables than the method based on cylindri- 
cal algebraic decomposition. Hermitian quantifier elimination is, however, well 
suited for formulas containing many equations as in the case of automated geo- 
metric theorem proving. Nevertheless the generic Hermitian quantifier elimina- 
tion is well suited in many other application areas, e.g., in physical applications 
in which a equation between two different values is always of no meaning. 

The plan of the paper is as follows: In the next Section 2 we sketch the Hermi- 
tian quantifier elimination algorithm. In Section 3 we discuss three parts of the 
algorithm where the concept of generic quantifier elimination can be successfully 
applied. After describing the generic algorithm we show in Section 4 the scope 
of our method by computation examples. In the final Section 5 we conclude and 
summarize our results. 



2 The Basic Algorithm 

We want to eliminate the quantifiers from an arbitrary first-order formula in the 
language of ordered rings. In our discussion we restrict our attention to the main 
parts of the Hermitian quantifier elimination with some improvements. Given an 
arbitrary first-order formula, we first compute an equivalent prenex normal form 
of the form 

Qn^^nl ' ' ' Qn^nmn •Q2a:21 • • • Q2X2m2QlXll ' ' ' Qi G {3,V}, 

with Qi_i Qi for i G {2, . . . , n} and ip quantifier-free. 

Our elimination algorithm eliminates the quantifier blocks, block by block, 
beginning with the innermost one, i.e., we compute first a quantifier-free equiv- 
alent of 

Qixii • • • QiXimi(V’)- 

Using the equivalence 

Vxi . . .yxn{tp) < — > . . .3x„(-'V’), 

we can obviously restrict our discussion to the case of one existential quantifier 
block, i.e. Qi = 3. We can furthermore assume without lost of generality (for 
short w.l.o.g.) that tp contains only atomic formulas of the form t = 0, t > 0 and 
t yf 0 and that ip is in disjunctive normal form. By applying the equivalence 

( k \ k 

\/ 1pi ] < > \f 3xi . .. BXnipJi) 

i=l 2 

we assume in the following that p) is & conjunction of atomic formulas of the 
above form. 
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2.1 Preparation 

We assume that our input formula has the following form 

3X1... 3xn I /\(5 = 0)A /\(/i>0)A /\(/^0) , 

VgeG heH feF ) 

where G, H, and F are finite sets of polynomials in Q[ui, . . . , Um][xi^ • ■ • , a;„]. We 
can obviously evaluate each variable-free atomic formula to a truth value making 
itself superfluous or the whole conjunction contradictive. Thus we can w.l.o.g. as- 
sume that each polynomial is an element of , Um][xi , . . . , Xn] \ Q- 

For a polynomial g G Q[ui, . . . , Um] [a:i, • ■ • , Xn] and (ci, . . . , Cm) G K™ we 
denote by ^(ci, . . . , Cm) the polynomial in K[xi, . . . , x„] constructed from g by 
plugging in the Ci for Ui with i G {1, • ■ • ,m}. We extend this notation in the 
natural manner to sets of polynomials. 

If the set G is empty, we proceed with our quantifier elimination as described 
in Section 2.3. If G is not empty, we compute a Grobner system [15] w.r.t. an 
arbitrary but fixed term order. This term order is also fixed for all subsequent 
computations in the following paragraphs. 

The concept of Grobner systems generalizes the concept of Grobner bases to 
the parametric case. With the term “parametric case” we describe situations in 
which the coefficient of the polynomials are given parametric as polynomials in 
some variables, e.g. mx -I- 6 is a univariate polynomial in x with the parametric 
coefficients m and b. 

A Grobner system A is a finite set of pairs ( 7 ,G), called branches of the 
Grobner system. Each branch consists of a quantifier-free formula 7 in the ui, 
. . . , Um and a finite set of polynomials Q[rti, . . . , Um] [a^i, ■ • • , x„]. For each c G K"* 
there is one branch ( 7 , G) such that 7 (c) holds, we have Id(G(c)) = Id(G(c)), 
and G(c) is a Grobner basis. In fact, all computations used for our algorithm 
can be performed parametrically using G. 

Note, that for every ( 7 , G) and c G K™ with 7 (c) we have that G(c), G(c) 
and Id(G(c)) have the same zeroes. By switching from 

/\{g = 0) to \f 7 A /\ (g = 0) 
geG (7,G)eS geG 

and interchanging the disjunction with the existential quantifier block it suffices 
to eliminate the quantifiers from 

7 A 3xi • • • 3xn i f\ g = 0/\ f\ h > 0 /\ f ^ 0 

\geG h&H f&F 

Let d be the dimension of Id(G(c)) with c G K™ and 7 (c). Note that this di- 
mension is uniquely determined by 7 . According to the dimension d we proceed 
as follows: If the ideal is zero dimensional, i.e., d = 0, we eliminate the complete 
block of existential quantifiers as described in the next Section 2.2. If the dimen- 
sion is —I, i.e., the ideal is actually the entire polynomial ring, and thus there 
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is obviously no zero of G, because 1 is member of the ideal. Our elimination 
result in this case is simply false. If the dimension is n, which is the number 
of main variables, we have to reformulate the problem and call our quantifier 
elimination recursively as described in Section 2.3. If, finally, the dimension is 
between 1 and n — 1 then we eliminate the quantifier block with two recursive 
calls of our Hermitian quantifier elimination as described in Section 2.4. 



2.2 The Zero-Dimensional Case 

We want to eliminate the quantifiers from 

7 A 3x1 • • • 3x„ (/\g = 0A /\ h> 0 /\ f y^O), 

geG hen feF 

where for each c in R™ with 7(c) we have that G(c) is Grbbner basis of the 
zero-dimensional ideal Id(G(c)). For this we use a method originally developed 
for counting the real zeroes of Id(G(c)) w.r.t. the side conditions generated by 
H and F. 

The result we use was found independently by Pedersen, Roy, Szpirglas [16] 
and Becker, Wormann [17] generalizing a result of Hermite for the bivariate 
case. It was adapted to the parametric case including several side conditions by 
Weispfenning [7] and further extended by the first author [8]. 

For a moment, assume that H = ihi, . . . ,hr} and F = {fi,...,fs|. Let 
E = {1, 2}A For e G S define by 

/.•=n7-ri/?. 

i=l i=l 

For a univariate polynomial q define as the number of positive zeroes 

and Z-{q) as the number of negative zeroes, respectively, both counted with 
multiplicities. 

Consider R = Q(ui, . . . , Um)[xi, . . . , x„] and let be / = Id(G) and B = 
{ui, . . . ,Vb} the reduced terms of G. Then R{c)/I{c) is a Q-algebra with basis 
B{c) for each c with 7(c). Note that each element in R can also be viewed as an 
element of R/L For q G R, the map 

niq : R/I R/I, defined by mq{p) = q- p 

is linear. Using this definition we define for a polynomial p G R the 5x6 matrix 
Qp = (qtj) by 

qij — trace(?7r^^^jp). 

Finally let xiQp) be the characteristic polynomial of Qp. 

Then we have for each c G R™ with 7(c), that 



aG R” 



A 5(c) (a) = 0A f\ 5(c) (a) > 0 A A ./(c) (a) ^ 0 

geG hen feF 



equals Z+{x) - Z_{x), where y = OeGis xiQhQ- 
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While the computations used so far are all uniform in c G R™ with 7 (c), we 
cannot uniformly count or Z- for y. Note that x(c) is of real type, i.e., there 
are no zeroes in C \ R. For those polynomials we can compute the number of 
positive and negative zeroes using Descartes rule of signs. It states that the 
positive real zeroes of a polynomial x(c) of real type are exactly the number of 
sign changes in the list of coefficients of x(c) ignoring 0. By considering x(~c) 
one can also compute the negative zeroes using Descartes rule of signs. 

Let X = Y.i=o where Qi,hi G Q[mi, . . . ,Um]- For 5 G {<,=, >}' let ^ps 

be the formula 

a\bi i5i 0 A • • • A aibi Si 0. 

Using Descartes rule of signs we can now uniformly count the number of 
positive and the number Z^ of negative zeroes of x(c) for all c G R™ with 7 (c) 
and ips{c). 

Finally define p by 



V 

< 56 {<, = ,>}‘ 




Our formula p states that the polynomial x has exactly the same number of 
positive as of negative real zeroes. A quantifier-free formula with this property is 
called type formula for the polynomial x- Recall from our discussion above that 
in this situation G has no zeroes which satisfy the given side conditions. Thus 
our final elimination result is 7 A -^tp. 



2.3 Constructing Equations 

We enter this case of the Hermitian quantifier elimination if the input formula 
does not contain any equation or the dimension of Id(G(c)) is n, i.e., I{G) = {0} 
for c with 7 (c). In other words we consider the input formula 

3x1 •• • 3x„ (^/\ h>0A f\ f 

heH feF 

In this case, we can eliminate one quantifier, say x„, and the other quanti- 
fiers of the considered block are eliminated by a recursive call of the Hermitian 
quantifier elimination. 

Let h have a representation of the form ^h,kX^ where each is a 

polynomial in Q[mi, . . . , Um, a^i, • ■ • , Xn-i] with at^dh 7^ 0- Assume for a moment 
that H = {h\, . . . ,hr} and let D = . . . , dh^}- For S £ D we denote by 

Sh the s-th element of S such that hs = h. Define P = { {hi, hj) \ 1 < i < j < r} 
C i/2 

For h £ H and d £ {0, . . . , dh} let P^ be the following formula: 



f\ ah,k = 0 A ah,d ^ 0. 
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For fixed h G H the formulas build a complete disjunctive case distinction of 
the degree of h under specifications of the parameters. Notice that it does not 
matter at this point, if F^ is equivalent to false. Let Qd{h) = We 

have the equivalence 

(/\ h>0A A /^O) ^ V (A rtAgs,{h)>0A 

hGH fGF SgD hGH fGF 

For each 6 we then in turn transform the formulas 

A ^ Qs,{h) > 0 A A /t^o) 

hen feF 



separately to 



A V ® A 

/eFi=0 



((A rlAan,s.>Q)w 

A ah,8h < 0 V {Even{Sh) A ah,Sh > 0 )) V 

hGH 

V 3a^"(A A.A^.^,(A)>0A^ = 0 )v 

peQ heH ” 

V 3a;„ ( A A gs„{h) > 0 A {p - q) = Oj 



{p,q)^P h^H 



where Q = {AGiJ|5/i>2}. The used predicate Even(n) is true if and only if 
n is even. Thus we have shown how to trace back this case to the case with at 
least one existing equation in the input formula. 

Let (f' denote the complete transformed input formula. Then we apply the 
Hermitian quantifier elimination to each quantified constituent and obtain, by 
eliminating x„, a quantifier-free equivalent ip' . Finally we apply the Hermitian 
quantifier elimination again recursively to 






obtaining a quantifier-free equivalent f). The final result of the elimination step 
is then 

7 A •(/>. 



2.4 Partial Elimination 

We enter this case of the Hermitian quantifier elimination if the dimension of 
G is d with d € {1, . . . , n — 1}. We compute a maximal strongly independent 
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set ^ [18]. Let w.l.o.g. be .r; = {xi, . . . ,Xk}- Then we apply recursively the 
Hermitian quantifier elimination to 



3xk+i ■ ■ ■ 3xn /\ g = 0A f\ h>0A f ^ 0 

\g&G h&H f&F 

and obtain a quantifier-free formula Then we apply our quantifier elimination 
procedure again recursively to 



3xi---3xk{-ip') 

yielding tp. Our quantifier-free result is then 'jAtp. This concludes the description 
of the Hermitian quantifier-elimination. 

3 Generic Hermitian Quantifier Elimination 

In this section we discuss our modifications to the algorithm for obtaining 
a generic quantifier elimination. As already mentioned in the introduction, a 
generic quantifier elimination computes for a first-order formula ip a quantifier- 
free formula ip' and a conjunction 0 of negated equations in the parameters u\, 
. . . , Um such that 

0 — > {ip < — > ip'). 

0 is called a theory. Recall from our discussion in the previous section that our 
quantifier elimination algorithm is recursive. In each recursive call we consider 
variables originally bound by quantifiers as additional parameters. Obviously we 
are not allowed to add assumptions about these additional parameters to 6>. To 
guarantee this restriction we denote hy v\, . . . , Vm the set of parameters of the 
input formula. In the discussion below we will always test whether an assumption 
is valid by checking whether it contains only variables from {z;i, . . . , Vm}- 

3.1 Generic Grdbner Systems 

Our first and most prominent modification to the pure elimination algorithm 
is to compute in the preparation phase a generic Grobner system instead of a 
regular one. 

Let < be a term order and let p = citi -I- • • • -I- Cdtd be a polynomial in 
Q[mi, . . ,,Um][xi , . . .,Xn], where ci, . . . , Cd G Q[ui, . . ■ ,Mm] and td > ■ ■ ■ > h 
terms. Then the head term of p is Cd- For a given c S K™ this may or may not be 
true for the polynomial p{c). It depends on whether Cd{c) yf 0 or not. During the 
construction of a Grdbner system we systematically construct a case distinction 
about some parameters of the occurring polynomials. In each case of this case 
distinction the head term of all polynomials is uniformly determined. 

A generic Grdbner system allows us to exclude some cases by adding assump- 
tions to 0. In particular if Cd contains only parameters from {wi, . . . , Vm} we add 
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Cd 0 to & and assume in the following computation steps that the head term 
of p is td- 

We denote by h a suitable heuristic to decide an implication: If 7 h a, then 
we have the validity of 7 — > a. Note that the construction of a Grobner system 
requires that this heuristic can actually decide some implications. 

The first algorithm extends a partial Grobner system by an additional poly- 
nomial. Note that we assume that the theory 0 to be computed is globally 
available. 

We use the following notations: HG(/) is the head or leading coefficient of / 
w.r.t. our fixed term order, Red(/) is the polynomial up to the head monomial, 
Var(/) is the set of variables actually occurring in /. 

Algorithm 1 (extend) Input: A partial system S, a branch ( 7 , G), and two 
polynomials h and h' . Output: An extended partial system. 

1 if ft,' = 0 then 

2 return S' U {(7, G)} 

3 else if Var(HG(ft')) C {rii, . . . , Vm} then 

4 0 := G A (HG(ft') yf 0) 

5 return S U { (7, G U {ft}) } 

6 else if 7 A 0 h HG(ft') yf 0 then 

7 return SU {(7, GU {ft})} 

8 else if 7 A 0 h HG(ft') = 0 then 

9 return extend(S, (7,G), ft, Red(ft')) 

10 else 

11 S':={(7AHG(ft')yf0, GU{ft})} 

12 return extend(S', (7 A HG(ft) = 0, G), ft, Red(ft')) 

13 fi 

This algorithm differs from the algorithm for regular Grobner systems by 
accessing the theory 0 and by the lines 3 and 4 for generating new assumptions. 

For computing a Grobner system we start with computing an initial partial 
system S by calling the following algorithm Initialize with input G. 

Algorithm 2 (Initialize) Input: A finite set H of polynomials. Output: A par- 
tial system. 

1 begin 

2 S := {(true, 0)} 

3 for each h £ H do 

4 for each ( 7 , G) £ S do 

5 S:=S\{( 7,G)} 

6 S := extend(S, (7,G), ft, ft) 

7 od 

8 od 

9 end 

For computing the Grobner system from the partial system we proceed as 
follows: We select a branch (7, G) of S, compute S' = S \ {(7, G)}. Then we 
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select gi, g 2 from G such that the normal form h of the S'-polynomial of gi, g 2 
is not 0. Finally we extend S' by ( 7 ,G), h and h. This process is repeated until 
the normal form of all S-polynomials is 0. 

As mentioned above the generic variant of the Grobner system computation 
allows us to drop branches. Recall from the presentation of our quantifier elimi- 
nation algorithm that we have to perform for each branch a separate quantifier 
elimination. If we are on the top-level of our quantifier-elimination algorithm we 
actually compute a Grobner system containing one single branch, because the 
condition on line 3 of the algorithm “extend” is tautological in this situation. 
This reduces, in general, both the computation time and the size of the output 
formula dramatically. As a rule, observed from our sample computations, we 
compute only a few assumptions which can often be easily interpreted. 



3.2 Generic Equation Construction 

In Section 2.3 we have discussed how to construct an equation from a set of 
ordering relations. In this section we adapt this to the generic case. 

Recall that we generate a complete case distinction about the highest coeffi- 
cient of each h € H. The size of this case distinction can be reduced by making 
appropriate assumptions as shown below. 

For h G H let 



Uh = max({-l} U { i G {0, . . . ,d/i} I Var(ahy) C {m, . . .,Vm} })■ 

For all Uh with h G H and n?i > 0 we add the assumption ah^ny, yf 0 to our theory 
O. Let finally D' = x^^^{max(0, n?i), . . . , d/i}. Then we can proceed with the 
transformation described in Section 2.3 using D' instead of D. Note that D' C D 
and often D' C D. 

3.3 Generic Type Formula Computation 

In this section we discuss an approach to computing generic type formulas. 

The type formula construction presented in Section 2.2 is a primitive version 
of the method used in our highly optimized Hermitian quantifier elimination. We 
actually compute a type formula Td for a polynomial p = GJ/* of degree d 

recursively: 

Td{cd , . . . , Co) = (co = 0) A Td-i V r'dicd, ■■■, co). 

The recursion basis are the simple type formulas up to the degree 3. The defini- 
tion of is similar to the definition of Td, but assumes a non-vanishing constant 
coefficient which implies the absence of the zero 0. The formula is actually a 
disjunctive normal form. Each constituent has the following schema 



Cfcl Qkl 0 A • • • A Cky Qjzy 0, 



where {ki, . . . , fc;} C {1, . . . ,d} and pkj G {<, >}. 
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Fig. 1. Example 1 (left) and Example 2 (right) 



For our generic type formula computation we cannot make use of our as- 
sumption for computing r^. If Var(co) C {ui, . . . , Vm} we can however avoid the 
recursion by adding cq yf 0 to 6>. This reduces the size of the output formula dra- 
matically and if it occurs in the recursions it reduces the computation time, too. 
Our test computations have, however, shown that, in general, the assumptions 
made here are very complex and cannot be easily interpreted. For our application 
of automated theorem proving we have thus not analyzed this method further. 
This does not mean that generic type formulas are an irrelevant optimization 
for other application areas of generic quantifier elimination. 



4 Examples 

In this section we will apply our elimination algorithm to some automatic proofs 
of geometric theorems. We have implemented the algorithm in redlog 3.0, 
which is part of the current version 3.8 of the computer algebra system reduce. 

For the geometric theorem proving we proceed here as described in [13]. 
Our examples will show the meaning of the assumptions which are created dur- 
ing the computations. In most cases, these assumptions can be interpreted as 
(necessary) non-degeneracy conditions, so they have a powerful geometric inter- 
pretation. Note that the constructed assumptions may not be a complete list of 
non-degeneracy conditions for the particular example. We will also show that 
generic Hermitian quantifier elimination will speed up the elimination procedure 
and will create smaller solution formulas than the regular Hermitian quanti- 
fier elimination. We explain in detail how to express a geometric theorem as a 
first-order formula by means of our first example. 



Example 1. Given a parallelogram ABCD, let E be the intersection point of its 
diagonals. Then E is the midpoint of the diagonals (see Figure 1). This example 
was taken from [19]. By a suitable motion in we can assume w.l.o.g. 



A =(0,0), B={ui,Q), C = (u 2 ,U 3 ), D={x 2 ,xi), E = {x^.x^i). 
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We now can describe the necessary properties to our statement by the following 
equations: 



hi = uiXi — U1U3 = 0 AB\\DC 

ft-2 = U3X2 — {u2 — ui)x\ = 0 DA\\CB 

hs = X1X4 — (x2 — Ui)x3 — uiXi = 0 Eg BD 

hi = U3X4 — U2X3 = 0 Eg AC 



g = 2 U 2 X 4 + 2 U 3 X 3 — — U 2 = 0 Length(^if) = Length(Cif) 

The theorem can then be formulated as Xii X 2 ^ X 3 y X 4 {hi A /12 A ft -3 A /14 ^ . 

The application of our elimination algorithm leads in 30 ms to the result 

0 = Ml yf 0 A Us yf 0, = true . 

The theory 0 states that ABCD is a proper parallelogram, i.e., opposite edges 
do not collapse. Non-generic Hermitian quantifier elimination yields in 170 ms 
a quantifier-free formula consisting of 24 atomic formulas. 

Example 2. Let O be the center of the circumcircle of a triangle ABC. If O does 
not lie outside of ABC, then ZACB = ZAOB/2. See Figure 1. This example 
was taken from [ 20 ]. 

W.l.o.g. we can assume the following coordinates 

H=(-mi,0), B={ui,0), C={u2,U3), O={0,xi), F=(0, U 3 ). 

We express the theorem as follows: 

VrVa:iVtiVt2VtVt'(r^ = Mi -I- Xi A = U2 -I- (U3 — A 
U3tl = Ul + U2 A U3t2 = Ml — M 2 A (1 — tlt2)t = ti + t2 A 

X\t' = Ui ^ t = t'Y 

Generic Hermitian quantifier elimination on this formula leads in 10 ms to the 
result 

0 = Ml — M 2 — M 3 yf 0 A M 3 yf 0, if = true. 

We now take a closer look at 0. M 3 yf 0 ensures that not all points of the triangle 
lie on the x-axis. This is a necessary non-degeneracy condition. The assumption 
M^ — M 2 — M§ yf 0 prevents that the midpoint of the circumcircle lies on the edge 
AB. We have proved this theorem if the constructed non-degeneracy assumptions 
hold. Actually the theorem holds for M 3 yf 0, i.e., the second assumption is 
superfluous. 

Example 3. (Feuerbach’s Theorem) The nine point circle of a triangle is tan- 
gent to the incircle and to each of the excircles of the triangle. See [19] for a 
formulation of this problem. We get the following elimination result: 

0 = M 1 M 3 -I- M 2 yf 0 A Ml -I- 2 m2 -I- M 3 yf 0 a Ml -I- M 2 yf 0 a Ml — M 2 yf 0 

AMi — 2m 2 -|-M3yf0AMi — M3yf0AMiyf0AM2-|-M3yf0AM2 — M3yf0A 
M 2 yf 0 A M 3 yf 0, 

= Ml - M3 yf 0. 
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ip is obviously equivalent to true under the assumption of 0. While we receive 
this result in 350 ms, regular Hermitian quantifier elimination cannot eliminate 
the quantifiers using 128MB. 

Example 4- (M. Paterson’s problem) Erect three similar isosceles triangles 

AiBC , ABiC , and ABCi on the sides of a triangle ABC. Then AAi, BBi 
and CCi are concurrent. How does the point of concurrency moves as the areas 
of the three similar triangles are varied between 0 and oo . This example is actu- 
ally an example for theorem finding and not only theorem proving. See Chou [19] 
for a description of this problem. We get the following elimination result: 

0 = U\U2 — U2X — Uzy 7f0Au2— xyf0Au2 7f0Au3 — j/yfOAj/yfO, 

f 2 2 2 2 2 

tp = M 3 M 2 J/ -I- U 1 U 3 X — 2uixy + u\U 2 y — 2u\U2U3X + 2u\U2xy — u\u^y 

2 2 2 2 2 2 
—U 1 U 3 X + u\U 3 y — 2u2xy + 2 U 2 U 3 X — 2u2U3y + 2u3xy = 0 V ui = 0. 

The result is obtained in 60 ms and describes a geometric locus. If one uses non- 
generic Hermitian quantifier elimination for eliminating, the result is obtained 
in 2,8 seconds and consists of 295 atomic formulas. 

5 Conclusions 

We have presented a generic quantifier elimination method based on Hermitian 
quantifier elimination. For this purpose we have analyzed where making assump- 
tions on parameters may support the algorithm: We compute generic Grobner 
systems instead of regular ones reducing the practical complexity of our algo- 
rithm in all cases. In the special case that no equations occur in the input, we 
have additionally reduced the number of recursions needed. 

By example computations we have shown that our generic Hermitian quan- 
tifier elimination can be successfully used for automatic theorem proving and 
theorem finding. In all examples the results are considerably shorter and the 
computation times are much faster than for regular Hermitian quantifier elimi- 
nation. 
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Abstract. The model generation problem, regarded as a special case 
of the Constraint Satisfaction Problem (CSP), has many applications in 
AI, computer science and mathematics. In this paper, we describe how 
to increase propagation of constraints by using the ground congruence 
closure algorithm. The experimental results show that using the congru- 
ence closure algorithm can reduce the search space for some benchmark 
problems. 



1 Introduction 

Compared to the research on propositional satisfiability problem, the satisfiabil- 
ity of first-order formulas has not received much attention. One reason is that 
the problem is undecidable in general. Since the early 1990’s, several researchers 
have made serious attempts to solving the finite domain version of the problem. 
More specifically, the problem becomes deciding whether the formula is satis- 
fiable in a given finite domain. Several model generation programs have been 
constructed [6, 3, 2, 10, 14, 16]. By model generation we mean, given a set of first 
order formulas as axioms, finding their models automatically. A model is an in- 
terpretation of the function and predicate symbols over some domain, which 
satisfies all the axioms. Model generation is very important to the automation 
of reasoning. For example, the existence of a model implies the satisfiability of 
an axiom set or the consistency of a theory. A suitable model can also serve 
as a counterexample which shows some conjecture does not follow from some 
premises. In this sense, model generation is complementary to classical theorem 
proving. Models help people understand a theory and can guide conventional 
theorem provers in finding proofs. 
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Some of the model generation methods are based on first-order reasoning 
(e.g., SATCHMO [6] and MGTP [2, 3]); some are based on constraint satisfaction 
(e.g., FINDER [10], FALCON [14] and SEM [16]); while others are based on the 
propositional logic (e.g., ModGen [4] and MACE [7]). These tools have been used 
to solve a number of challenging problems in discrete mathematics [11,7,14]. 
Despite such successes, there is still space for improvement on the performance 
of the tools. 

In this paper, we study how to improve the performance of finite model 
searchers by more powerful reasoning mechanisms. Specifically, we propose to 
incorporate congruence closure computation into the search procedure of the 
model generation tools. 

2 Model Generation as Constraint Satisfaction 

The finite model generation problem studied in this paper is stated as follows. 
Given a set of first order clauses and a non-empty finite domain, find an inter- 
pretation of all the function symbols and predicate symbols appearing in the 
clauses such that all the clauses are true under this interpretation. Such an in- 
terpretation is called a model. Here we assume that all the input formulas are 
clauses. Each variable in a clause is (implicitly) universally quantified. 

Without loss of generality, we assume that an n-element domain is the set 
= { 0, 1, . . . , n — 1 }. The Boolean domain is { FALSE, TRUE }. If the arity of 
each function/predicate symbol is at most 2, a finite model can be conveniently 
represented by a set of multiplication tables, one for each function/predicate. For 
example, a 3-element model of the clause f{x,x) = a; is like the following: 



/ 


0 


1 


2 


0 


0 


1 


0 


1 


1 


1 


0 


2 


0 


1 


2 



Here / is a binary function symbol and its interpretation is given by the above 
2-dimensional matrix. Each entry in the matrix is called a cell. 

In this paper, we treat the problem as a constraint satisfaction problem 
(GSP), which has been studied by many researchers in Artificial Intelligence. 
The variables of the GSP are the cell terms (i.e., ground terms like /(0,0), 
/(0, 1), etc.). The domain of each variable is (except for predicates, whose 
domain is the Boolean domain) . The constraints are the set of ground instances 
of the input clauses, denoted by <F. The goal is to find a set of assignments to 
the cells (e.g., /(0, 1) = 2) such that all the ground clauses hold. 

Theoretically speaking, any approach of constraint satisfaction can be used 
for finite model generation. For instance, a simple backtracking algorithm can 
always find a finite model (if it exists) . Of course, a brute- force search procedure 
is too inefficient to be of any practical use. There are many other search pro- 
cedures and heuristics proposed in the AI literature, e.g., forward checking and 
lookahead. See [5] for a good survey. 
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In this paper, we will solve the finite model generation problem using back- 
track search. The basic idea of such a search procedure is roughly like the fol- 
lowing: repeatedly extend a partial model (denoted by Pmod) until it becomes 
a complete model (in which every cell gets a value). Initially Pmod is empty. 
Pmod is extended by selecting an unassigned cell and trying to find a value for 
it (from its domain). When no value is appropriate for the cell, backtracking is 
needed and Pmod becomes smaller. 

The execution of the search procedure can be represented as a search tree. 
Each node of the tree corresponds to a partial model, and each edge corresponds 
to assigning a value to some cell by the heuristic. We define the level of a node 
as usual, i.e., the level of the root is 0 and the level of the children of a level n 
node is n -I- 1 . 

3 Congruence Closure for Constraint Propagation 

The efficiency of the search procedure depends on many factors. One factor 
is how we can perform reasoning to obtain useful information when a certain 
number of cells are assigned values. That is, we have to address the following 
issue: how can we implement constraint propagation and consistency checking 
efficiently? 

This issue may be trivial for some constraint satisfaction algorithms because 
the constraints they accept are often assumed to be unary or binary. It is true 
that n-ary constraints can be converted into an equivalent set of binary con- 
straints; but this conversion usually entails the introduction of new variables 
and constraints, and hence an increase in problem size. This issue is particu- 
larly important to model generation because in this case, the constraints are 
represented by complicated formulas. Experience tells us that a careful imple- 
mentation can improve the performance of a program significantly. 

In [15], a number of inference rules are described in detail. They are quite 
effective on many problems. In this paper, we discuss another inference rule, 
namely congruence closure, which can be quite useful for equational problems. 

3.1 Congruence Closure 

An equivalence relation is a reflexive, symmetric and transitive binary relation. 
A relation ~ on the terms is monotonic if /(si, . . . , s„) ~ f{t\, ■ ■ ■ , tn) whenever 
/ is an n-ary function symbol and for every f (1 < z < n), Si ~ ti. A congruence 
relation is a monotonic equivalence relation. A set of ground equations, E, defines 
a relation among the ground terms. The congruence generated by E, denoted by 
E* , is the smallest congruence relation containing E. 

There are several algorithms for computing the congruence generated by a 
set of ground equations, called congruence closure algorithms, e.g., [1,8]. The 
Nelson-Oppen algorithm [8] represents terms by vertices in a directed graph. It 
uses UNION and FIND to operate on the partition of the vertices, to obtain the 
congruence relation. 
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A congruence closure algorithm can deduce some useful information for finite 
model searching. One example is given in [8]. From the following two equations: 

f (f (f (a) ) ) = a 
f(f(f(f(f(a))))) = a 

we can deduce that f (a) = a. Thus we need not “guess” a value for f (a) , if the 
above two equations are in the input clauses. Without using the congruence clo- 
sure, we may have to try unnecessary assignments such as f (a) = b , f (a) = c, 
etc., before or after the assignment of f (a) = a. 



3.2 An Example 

Let us look at a problem in the combinatorial logic. A fragment of combina- 
tory logic is an equational system defined by some equational axioms. We are 
interested in the fragment { B, N1 }, whose axioms are: 

a{a{a{B,x),y),z) = a{x,a{y,z)) 
a{a{a{m,x),y),z) = a{a{a{x , y) , y) , z) 

Here B and N1 are constants, while the variables x, y and 2 are universally 
quantified. The strong fixed point property holds for a fragment of combinatory 
logic if there exists a combinator y such that for all combinators x, a{y, x) = 
a{x,a{y,x)). In other words, the fragment has the strong fixed point property 
if the formula ip: 3y\/x[a{y,x) = a{x,a{y,x))] is a logical consequence of the 
equational axioms. 

In [13], it is shown that the fragment { B, NI } does not have the strong 
fixed point property, because there is a counterexample of size 5. It is a model 
of the following formulas: 

(BNl-1) a(a(a(0,x) ,y) ,z) = a(x,a(y,z)). 

(BNl-2) a(a(a(l ,x) ,y) ,z) = a(a(a(x,y) ,y) ,z) . 

(BNl-3) a(y,f(y)) != a(f (y) , a(y , f (y) ) ) . 

The last formula is the negation of the formula p, where f is a Skolem function 
and ! = means “not equal” . In the first two formulas, we assume that B is 0 
and Nl is 1. That is, B and Nl take different values. (But it is also possible to 
generate a counterexample in which B = Nl.) 



Search by SEM. When using the standard version of SEM [16], the first few 
steps of the search tree are the following: 

(1) Choose the cell a (0,0) and assign the value 0 to it. 

(2) Choose the cell f (0) and assign the value 1 to it. Note that f (0) cannot 
be 0; otherwise the formula (BNl-3) does not hold, because we already have 
a(0,0) = 0. 
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(3) Choose the cell a(0, 1) and assign the value 1 to it. After the first two choices, 
SEM deduces that a(0, 1) cannot be 0. Otherwise, suppose a(0, 1) = 0. Let 
X = 1 and y = z = 0 in the formula (BNl-1), we have a(a(a(0,l) ,0) ,0) 
= a (1, a (0,0)), which is simplified to 0 = a (1,0). Then let y = 0 in the 
formula (BNl-3), we shall have 0 yf 0. 

(4) Choose the cell a(l , 1) and assign the value 2 to it. 

After the first three steps, SEM will also deduce that a (1,1) yf 1. 

The Effect of Congruence Closure Computation. If we apply the con- 
gruence closure algorithm to the ground instances of the formulas (BNl-1) and 
(BNl-2) and the first three assignments 

a(0,0) = 0; f(0) = 1; a(0,l) = 1; (PI) 

we shall get the conclusion a (1,1) = 1. This contradicts with the inequality 

a (1,1) yf 1 which is deduced by SEM. Thus if we extend SEM’s reasoning 
mechanism with the congruence closure algorithm, we know that, at step 3, 
assigning the value 1 to the cell a(0, 1) will lead to a dead end. 

Now suppose we try a (0,1) = 2 next. For this new branch, we add the 
following three equations to 'P: 

a(0,0) = 0; f(0) = 1; a(0,l) = 2. (P2) 

After computing the congruence closure, we can get these equations: 

a(0,0) = a(l,0) = a(2,0) = 0; 
f(0) = 1; 

a(0,l) = a(0,2) = a(l,2) = a(2,2) = 2. 

However, with the old version of SEM, after the three assignments (P2), we 
only deduce a(0,2) = 2 as a new cell assignment. In other words, the partial 
model consists of these four assignments: 

a(0,0) = 0; f(0) = 1; a(0,l) = 2; a(0,2) = 2. 

SEM can also deduce some negative assignments, e.g., a(l,2) yf 2. This con- 
tradicts with what we get from the closure computation algorithm. Thus, we 
have come to a dead end again. We don’t need to go further and expand the 
search tree (as the old version of SEM does). The difference is illustrated by the 
following two search trees: 

a(0,0) = 0 

f(0) = 1 

a(0,l)= 

a(l,l) = 2 
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The left tree describes the search process of old SEM, while the right one de- 
scribes the effect of congruence closure computation on the search process. We 
see that some branches of the search tree can be eliminated if we combine con- 
gruence closure computation with existing reasoning methods of SEM. 



4 The Extended Search Algorithm 

The model generation process can be described by the recursive procedure in 
Fig. 1, which searches for every possible model. It can be easily modified to 
search for only one model. The procedure uses the following parameters: 

— Pmod = {(ce, e) | e G Dom{ce)}: assignments (cells and their assigned 
values), where Dom{ce) is the domain of values for ce; 

— V = {(ce, D)\ D d Dom{ce)}: unassigned cells and their possible values; 

— d': constraints (i.e. the clauses). 

Initially Pmod is empty, and T> contains (ce, Dom{ce)) for every cell ce. 



proc search (Pmod, 2?, if') 

I 

if P = 0 then /* a model is found */ 

{ print(Pmod); return; } 
choose and delete (cei,Di) from P; 
if Di = ^ then return; /* no model */ 
for e £ Di do 
{ 

{Pmod' ,V' ,'F') := propa(Pmod U {(cci, e)}, P, if') ; 
if is not FALSE /* no contradiction found */ 

then search(Pmod', Pb if'O ; 

} 

} 



Fig. 1. The abstract search procedure 



The procedure propa(Pmo(i, P, S') propagates assignment Pmod in 'P: it 
simplifies P and may force some variables in T> to be assigned. The procedure 
propa.{Pmod,T>,P) is essentially a closure operation (with respect to a set of 
sound inference rules) . It repeatedly modifies Pmod, T>, and P until no further 
changes can be made. When it exits, it returns the modified triple {Pmod, T>, P). 
The basic steps of this procedure can be described as follows. 

(1) For each new assignment (ce,e) in Pmod, replace the occurrence of ce in P 
by e. 

(2) If there exists an empty clause in P (i.e., each of its literals becomes FALSE 
during the propagation), replace P by FALSE, and exit from the procedure. 
Otherwise, for every unit clause in P (i.e. all but one of its literals become 
false), examine the remaining literal 1. 
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— If Hs a Boolean cell term ce, and (ce, D) G T>, then delete (ce, D) from T> 
and add (ce, TRUE) to Pmod] similarly, if I is the negation of a Boolean 
cell term in T>, i.e. ^ce, delete (ce, D) from T> and add (ce, FALSE) to 
Pmod. 

— If Hs of the form EQ(ce, e) (or EQ(e, ce)), and (ce, D) G T>, delete (ce, D) 
from T> and add (ce, e) to Pmod; similarly, if I is of the form ^EQ(ce, e) 
(or ^EQ(e, ce)), and (ce, D) G T>, then delete e from D. 

(3) For each pair (ce, D) G T>, if D = 0, then replace by FALSE, and exit from 
the procedure; if D = {e} (i.e. \D\ = 1), then delete the pair {ce, D) from 
T>, and add the assignment (ce, e) to Pmod. 

(4) Let E* = groundCC(Pmoc?Uif(>F)), where E{X) is the set of all equations in 
X and groundCC(Q) returns the consequences of the congruence closure of 
ground equations Q. If E* and Pmod are inconsistent, replace E by FALSE 
and exit from the procedure; otherwise extend Pmod with all cell assign- 
ments in E* . 

The last item in the above list is an addition to the original constraint propaga- 
tion procedure implemented in SEM. Basically, the extended search algorithm 
tries to deduce useful information using congruence closure computation, from 
all the equations in E and all the cell assignments in Pmod. 

When will E* and Pmod be inconsistent? Firstly, if E* puts two domain 
elements in the same equivalence class (e.g., 1 = 2, or TRUE = FALSE), we get 
an inconsistency. Secondly, if E* contains ce = v but v is not in Dom{ce), then it 
is also inconsistent. When consistent, we extend the current partial assignment 
Pmod with all cell assignments in E* , i.e. equations like a(0, 1) = 2. 

5 Implementation and Experiments 

We have extended SEM [16] with the Nelson-Oppen algorithm [8] for computing 
congruences. We call the new version SEMc. 

The implementation of the congruence closure algorithm is straightforward. 
No advanced data structures are used. As a result, the efficiency is not so good. 
But this still allows us to experiment with the new search procedure. 

Since congruence computation may not offer new information at all nodes of 
the search tree, we add a control parameter (denoted by Lvl) to SEMc. It means 
that congruence is only computed at nodes whose levels are less than Lvl. 

We have experimented with SEMc on some model generation problems. Ta- 
ble 1 compares the performances of SEMc with that of SEM. The results were 
obtained on a Dell Optiplex GX270 (Pentium 4, 2.8 GHz, 2G memory), running 
RedHat Linux. In the table, the running times are given in seconds. A “round” 
refers to the number of times when we try to find an appropriate value for a 
selected cell. This can be done either when extending a partial solution (i.e., 
trying to assign a value for a new cell) or during backtracking (i.e., trying to 
assign a new value to a cell which already has a value). 

Here BNl refers to the combinatorial logic problem described in Section 3. 
The problem glx has the following two clauses: 
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Table 1. Performance comparison 



Problem 


Size 


Satisfiable 


1 SEM 


1 SEMc 1 








Round 


Time 


Round 


Time 


BNl 


4 


No 


888 


0.00 


502 


0.22 


BNl 


5 


Yes 


34 


0.00 


26 


0.02 


glx 


4 


Yes 


11803 


0.05 


675 


0.11 


BOO033-1 


5 


Yes 


29 


0.00 


27 


0.05 


LCL137-1 


6 


Yes 


609 


0.01 


569 


0.03 


LCL137-1 


8 


Yes 


5662 


0.09 


5466 


0.15 


ROB012-1 


3 


No 


983694 


2.55 


982652 


2.69 


ROB015-1 


3 


No 


1004638 


2.25 


1001420 


2.35 



f (z,f (g(f (y,z)) ,f (g(f (y,g(f (y,x)))) ,y))) = x 
f(0,g(0)) != f(l,g(D) 

The existence of a model implies that the first equation is not a single axiom for 
group theory. The other problems are from TPTP [12]. 

For some problems, there are non-unit clauses as well as negated equations. 
Thus the use of congruence computation does not make much difference. For 
problems like glx where complex equations dominate in the input, the new 
version of SEM can reduce the number of branches greatly (by 17 times). 

In the above experiments, Lvl is set to 10 (an arbitrary value). Without the 
restriction, the overhead of computing congruence closure might be significant. 

6 Concluding Remarks 

Many factors can affect the efficiency of a backtrack procedure. In the context of 
finite model searching, these include the heuristics for choosing the next cell and 
the inference rules for deducing new information from existing assignments. In 
this paper, we have demonstrated that adding congruence computation as a new 
inference rule can reduce the number of branches of the search tree, especially 
when most clauses are complex equations. 

The current implementation is not so efficient because we have implemented 
only the original Nelson-Oppen algorithm [8] for computing congruences. With 
more efficient data structures and algorithms (e.g. [9]), we expect that the run- 
ning time of SEMc can be reduced. Another way of improvement is that the 
congruence should be computed incrementally. In the current version of SEMc, 
each time the congruence is computed, the algorithm starts from all ground in- 
stances of the input equations. However, during the search, many of them can 
be neglected (when both the left-hand side and the right-hand side are reduced 
to the same value). 

Acknowledgements 

We are grateful to the anonymous reviewers for their detailed comments and 
suggestions. 





































































102 J. Zhang and H. Zhang 



References 

1. P.J. Downey, R. Sethi and R.E. Tarjan, Variations on the common subexpression 
problem, J. ACM 27(4): 758-771, 1980. 

2. M. Fujita, J. Slaney and F. Bennett, Antomatic generation of some results in hnite 
algebra, Proc. 13th IJCAI, 52-57, 1993. 

3. R. Hasegawa, M. Koshimura and H. Fujita, MGTP: A parallel theorem prover 
based on lazy model generation, Proc. CADE- 11, LNAI 607, 776-780, 1992. 

4. S. Kim and H. Zhang, ModGen: Theorem proving by model generation, Proc. 12th 
AAAI, 162-167, 1994. 

5. V. Kumar, Algorithms for constraint satisfaction problems: A survey, AI Magazine 
13(1): 32-44, 1992. 

6. R. Manthey and F. Bry, SATGHMO: A theorem prover implemented in Prolog, 
Proc. CADE-9, LNCS 310, 415-434, 1988. 

7. W. McCune, A Davis-Putnam program and its application to hnite hrst-order 
model search: Quasigroup existence problems. Technical Report ANL/MCS-TM- 
194, Argonne National Laboratory, 1994. 

8. G. Nelson and D.G. Oppen, Fast decision procedures based on congruence closure, 
J. ACM 27(2): 356-364, 1980. 

9. R. Nieuwenhuis and A. Oliveras, Gongruence closure with integer offsets, Proc. 
10th LPAR, LNAI 2850, 78-90, 2003. 

10. J. Slaney, FINDER: Finite domain enumerator - system description, Proc. CADE- 
12, LNCS 814, 798-801, 1994. 

11. J. Slaney, M. Fujita and M. Stickel, Automated reasoning and exhaustive search: 
Quasigroup existence problems, Computers and Mathematics with Applications 
29(2): 115-132, 1995. 

12. G. Sutcliffe and C. Suttner, The TPTP problem library for automated theorem 
proving, http : //www. cs .miami . edu/~tptp/ 

13. J. Zhang, Problems on the generation of hnite models, Proc. CADE-12, LNCS 814, 
753-757, 1994. 

14. J. Zhang, Constructing hnite algebras with FALCON, J. Automated Reasoning 
17(1): 1-22, 1996. 

15. J. Zhang and H. Zhang, Constraint propagation in model generation, Proe. Int’l 
Conf. on Principles and Practiee of Constraint Programming, LNCS 976, 398-414, 
1995. 

16. J. Zhang and H. Zhang, SEM: A system for enumerating models, Proc. 14th IJCAI, 
298-303, 1995. 




On the Combination 
of Congruence Closure and Completion 



Christelle ScharfT^’* and Leo Bachmair^ 

^ Department of Computer Science, Pace University, NY, USA 
cscharf f @pace . edu 

^ Department of Computer Science, SUNY Stony Brook, NY, USA 
leoScs . sunysb . edu 



Abstract. We present a graph-based method for constructing a con- 
gruence closure of a given set of ground equalities that combines the key 
ideas of two well-known approaches, completion and abstract congruence 
closure, in a natural way by relying on a specialized and optimized ver- 
sion of the more general, but less efficient, SOUR graphs. This approach 
allows for efficient implementations and a visual presentation that bet- 
ter illuminates the basic ideas underlying the construction of congruence 
closures and clarihes the role of original and extended signatures and the 
impact of rewrite techniques for ordering equalities. 



1 Introduction 

Theories presented by finite sets of ground (i.e., variable-free) equalities are 
known to be decidable. A variety of different methods for solving word problems 
for ground equational theories have been proposed, including algorithms based 
on the computation of a congruence closure of a given relation. Efficient con- 
gruence closure algorithms have been described in [5, 8, 10, 12]. These algorithms 
typically depend on sophisticated, graph-based data structures for representing 
terms and congruence relations. 

A different approach to dealing with ground equational theories is represented 
by term rewriting [1,4], especially the completion method [7] for transforming a 
given set of equalities into a convergent set of directed rules that defines unique 
normal forms for equal terms and hence provides a decision procedure for the 
word problem of the underlying equational theory. Completion itself is a semi- 
decision procedure but under certain reasonable assumptions about the strategy 
used to transform equalities, is guaranteed to terminate if the input is a set of 
ground equalities. Completion methods are not as efficient as congruence closure, 
though an efficient ground completion method has been described by [13], who 
obtains an 0{n login)) algorithm that cleverly uses congruence closure to trans- 
form a given set of ground equalities into a convergent ground rewrite system. 
Standard completion is quadratic in the worst case [11]. 

* This work is supported by the National Science Foundation under grant ITR- 
0326540 . 



B. Buchberger and J.A. Campbell (Eds.): AISC 2004, LNAI 3249, pp. 103—117, 2004. 
@ Springer- Verlag Berlin Heidelberg 2004 




104 



C. Scharff and L. Bachmair 



We combine the two approaches in a novel way, different from [6] , and present 
an efficient graph-based method that combines the key ideas of completion and 
abstract congruence closure [2, 3] . Our approach employs a specialized version 
of the SOUR graphs that were developed for general completion [9]. In SOUR 
graphs the vertices represent terms and the edges carry information about sub- 
term relations between terms (S), rewrite rules (R), unifiability of terms (U) and 
order relations between terms (O). In the application to congruence closure we 
consider only ground terms and hence do not need unification edges. Moreover, 
general term orders are too restrictive as well as too expensive to maintain, and 
hence we also dispense with order edges and manipulate rewrite edges in a differ- 
ent way, based on the explicit use of edges (E) representing unordered equalities. 
Thus, our modifications amount to what might be called “SER graphs.” This 
modified, and simplified, graph structure provides a suitable basis for computing 
congruence closures. We represent terms and equalities by a directed graph that 
supports full structure sharing. The vertices of the graph represent terms, or 
more generally equivalence classes of terms; edges represent the subterm struc- 
ture of the given set of terms, as well as equalities and rewrite rules. 

Some of the graph transformation rules we use are simpler versions of SOUR 
graph rules and, in logical terms, correspond to combinations of critical pair 
computations and term simplifications. We also include an explicit “merge rule” 
that is well-known from congruence closure algorithms, but only implicitly used 
in SOUR graphs. Exhaustive application of these transformation rules termi- 
nates, is sound in that the equational theory represented over U-terms does not 
change, and complete in that the final rewrite system over the extended signature 
is convergent. 

The main difference between our approach and the abstract congruence clo- 
sure framework of [3] is that the graph-based formalism naturally supports a 
term representation with full structure sharing, which can not be directly de- 
scribed in an abstract, inference-based framework, though the effect of graph 
transformation rules can be indirectly simulated by suitable combinations of 
inference rules. 

The efficiency of our method crucially depends on the use of a simple ordering 
(that needs to be defined only on the set of constants extending the original term 
signature), rather than a full term ordering. The corresponding disadvantage is 
that we do not obtain a convergent rewrite system over the original signature, 
but only over an extended signature. However, we may obtain a convergent 
rewrite system on the original signature by further transforming the graph in a 
way reminiscent of the compression and selection rules of [2, 3]. 

We believe that our approach allows for a visual presentation that better 
illuminates the basic ideas underlying the construction of congruence closures. 
In particular, it clarifies the role of original and extended signatures and the 
impact of rewrite techniques for ordering equalities. It should also be suitable 
for educational purposes. 

The graph-based construction of a congruence closure is described in Sec- 
tion 3. In Section 4 we show how to obtain a convergent rewrite system over 
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the original signature. Section 5 contains examples. In Section 6 we discuss the 
influence of the ordering on the efficiency of our method and present complexity 
results. A full version of this article with proofs and more examples is available 
at: http : //www . csis . pace . edu/ ~scharf f /CC. 

2 Preliminaries 

We assume the reader is familiar with standard terminology of equational logic 
and rewriting. Key definitions are included below, more details can be found 
in [1,4]. In the following, let S and JC be disjoint sets of function symbols. We 
call S the (basic) signature, and AU/C the extended signature. The elements of 
/C are assumed to be constants, and are denoted by subscripted letters Ci (i > 0). 
Flat Ground Terms. The height H of a term is recursively defined by: if 
t is a variable, then H{t) = 0, otherwise H{t) = H{f{t\, . . . ,tn)) = 1 + 
max{H{t\), . . . ,H{tn)}. A term is said to be flat if its height is 2 at most. 
We will consider flat ground terms, i.e., variable-free terms t with H{t) < 2. 
D-Rules, C-Rules, C-Equalities. A D-rule on AU/C is a rewrite rule f{c \, . . . , 
Cn) ^ Co, where / C A is a function symbol of arity n and co,ci,...,c„ are 
constants of /C. A C-rule on A U /C (respectively, a C -equality) is a rule cq c\ 
(respectively, an equality cq ~ ci), where cq and ci are constants of /C. 

The constants in 1C will essentially serve as names for equivalence classes of 
terms. Thus, an equation Cj « Cj indicates that Ci and Cj are two names for the 
same equivalence class. A constant c, is said to represent a term t G T(A U /C) 
via a rewrite system R, if t a. 

Abstract Congruence Closure: A ground rewrite system R = D U C of D 
and C-rules on AU/C is called an abstract congruence closure if: (i) each constant 
Co C JC represents some term t G T{JR) via R and (ii) R is convergent. If E is 
a set of ground equalities over T(A U /C) and R an abstract congruence closure 
such that for all terms s and t in T(A), s t if, and only if, there exists a term 
u with s u t, then R is called an abstract congruence closure of E. That 
is, the word problem for an equational theory E can be decided by rewriting to 
normal form using the rules of an abstract congruence closure R of E. 

3 Graph-Based Congruence Closure 

We describe a graph-based method for computing an abstract congruence clo- 
sure of a given set of ground equalities E over a signature A. First a directed 
acyclic graph (DAG) is constructed that represents the set E, as well as terms 
occurring in E. In addition, each vertex of this initial graph is labeled by a 
distinct constant Ci of /C. Next various graph transformation rules are applied 
that represent equational inferences with the given equalities. Specifically, there 
are four mandatory rules {Orient, SR, RRout, and Merge) and one optional 
rule {RRin). Exhaustive application of these rules, or saturation, will under cer- 
tain reasonable assumptions yield an abstract congruence closure. The vertices 
of each (initial and transformed) graph represent equivalence classes of terms. 
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Transformed graphs need not be acyclic, but will conform to full structure shar- 
ing in that different vertices represent different terms (or equivalence classes). 
The transformation rules crucially depend on an ordering on /C ^ . 

3.1 Initial Graphs 

We consider directed graphs where each vertex v is labeled by (i) a function 
symbol of S, denoted by Symbol{v), and (ii) a constant of 1C, denoted by 
Constant{v). In addition, edges are classified as equality, rewrite, or subterm 
edges. We write u —e v and u v to denote equality and rewrite edges (be- 
tween vertices u and v) , respectively. Subterm edges are also labeled by an index, 
and we write u ->-'g v. Informally, this subterm edge indicates that v represents 
the i-th subterm of the term represented by u. 

An initial graph DAG{E) represents a set of equalities E as well as the 
subterm structure of terms in E. It is characterized by the following conditions: 
(i) If Symbol{v) is a constant, then v has no outgoing subterm edges; and (ii) 
if Symbol{v) is a function symbol of arity n, then there is exactly one edge of 
the form v ->-g Vi, for each i with 1 < z < n. (That is, the number of outgoing 
vertices from v reflects the arity of Symbol{v).) 

The term Term{v) represented by a vertex v is recursively defined as follows: 
If Symbol{v) is a constant, then Term{v) = Symbol{v); if Symbol{v) is a func- 
tion symbol of arity n, then Term{v) = Symbol{v){Term{vi), . . . ,Term{vn)), 
where v ->-g Vi, for 1 < z < n. Evidently, Term(v) is a term over signature E. 
We require that distinct vertices of DAG{E) represent different terms. More- 
over, we insist that DAG{E) contain no rewrite edges and that each equality 
edge u —E V correspond to an equality s « t of if (with u and v representing s 
and t, respectively), and vice versa. 

The vertices of the graph DAG{E) also represent flat terms over the ex- 
tended signature E LI K.. More specifically, if Symbol{v) is a constant, then 
ExtTerm{v) = Gonstant{v), and if Symbol{v) is a function symbol of ar- 
ity n, then ExtTerm{v) = Symbol{v){Gonstant{vi), . . . ,Gonstant{vn)), where 
V Vi, for 1 < z < rz. 

We should point out that the labels Constant{v) allow us to dispense with the 
extension rule of abstract congruence closure [2,3]. The initial graph DAG{E) 
contains only subterm and equality edges. Rewrite edges are introduced during 
graph transformations. The term representation schema for transformed graphs 
is also more complex, see Section 4. 

3.2 Graph Transformation 

We define the graph transformations by rules. The first rule. Orient, can be 
used to replace an equality edge, v —e w, by a rewrite edge, v ^r w, provided 
Constant{v) >- Gonstant{w). If the ordering is total, then every equality edge 

^ An ordering is an irreflexive and transitive relation on terms. An ordering is total, 
if for any two distinct terms s and t, s t or t s. 




On the Combination of Congrnence Closure and Completion 



107 



for which Constant{v) ^ C onstant{w) can be replaced by a rewrite edge (one 
way or the other). 

The ordering needs to be defined on constants in K, only, not on terms 
over S yj 1C. Term orderings, as employed in SOUR-graphs, are inherently more 
restrictive and may be detrimental to the efficiency of the congruence closure 
construction. For instance, well-founded term orderings must be compatible with 
the subterm relation, whereas we may choose an ordering with Constant(v) >- 
C onstant{w) for efficiency reasons, even though Term{v) may be a subterm of 
Term{w). 

The SR rule replaces one subterm edge by another one. In logical terms it 
represents the simplification of a subterm by rewriting, or in fact the simulta- 
neous simplification of all occurrences of a subterm, if the graph presentation 
encodes full structure sharing for terms. 

The RRout and RRin each replace one rewrite edge by another. They corre- 
spond to certain equational inferences with the underlying rewrite rules (namely, 
critical pair computations and compositions, which for ground terms are also 
simplifications). The RRin rule is useful for efficiency reasons, though one can 
always obtain a congruence closure without it. If the rule is applied exhaustively, 
the resulting congruence closure will be a right-reduced rewrite system over the 
extended signature. 

The Merge rule collapses two vertices that represent the same term over the 
extended signature into a single vertex. It ensures closure under congruence and 
full structure sharing. 

The graph transformation rules are formally defined as pairs of tuples of 
the form {E^, E^, Er, V, K., KC) {E'^, E'^, E'^, V , fC' , KC'), where the 
individual components specify a graph, an extended signature, and an ordering 
on new constants, before and after rule application. Specifically, 

— the first three components describe the sets of subterm, equality, and rewrite 
edges, respectively; 

— the fourth component describes the set of vertices; 

— the fifth component describes the extension of the original signature E 
and 

— the last component describes the (partial) ordering on constants. Specifically, 
KC is a set of “ordering constraints” of the form {a >- cj \ Ci, Cj G K.}. 
(A set of such constraints is considered satisfiable if there is an irreflexive, 
transitive relation on 1C that meets all of them.) 

The specific conditions for the various rules are shown in Figures 1 and 2. For 
example, if two vertices v and w represent the same flat term (over the extended 
signature), then the merge rule can be used to delete one of the two vertices, 
say V, and all its outgoing subterm edges. All other edges that were incident on 
V need to be redirected to w, with the proviso that outgoing rewrite edges have 
to be changed to equality edges. 

^ We have 1C' Q IC, which is different from abstract congruence closure [2,3], where 
new constants can be introduced. 
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Construction of a congruence closure starts from an initial tuple 
(i?s, Ee, Er, V, /C,0), the first five components of which are derived from 
DAG{E) (so that Er is empty)^. Transformation rules can then be applied non- 
deterministically. The rules SR, RRout and RRin are only applied if they result 
in a new edge. 

There are various possible strategies for orienting equality edges. One may 
start with a fixed, total ordering on constants, or else construct an ordering “on 
the fly.” Different strategies may result in different saturated graphs, see Exam- 
ple 2. The choice of the ordering is crucial for efficiency reasons, as discussed in 
section 6. The ordering also prevents the creation of cycles of with equality or 
rewrite edges, though the SR rule may introduce self-loops or cycles involving 
subterm edges. (Such a cycle would indicated that a term is equivalent to one of 
its subterms in the given equational theory.) See section 3.3 and example 2 for 
more details. 

Definition 1. We say that a graph G is saturated if it contains only subterm 
and rewrite edges and no further graph transformation rules can he applied. 

3.3 Extraction of Rules 

We can extract D-rules, C-rules and C-equalities from the initial and trans- 
formed graphs as follows. A vertex vg with ExtTerm{vg) = t and G onstant{vg) 
= Co induces a D-rule t ^ cq. An equality edge vi —eV 2 induces a C-equality 
Cl « C 2 , where Constant{vi) = c\ and Gonstant{v 2 ) = ci. A rewrite edge v\ 

V 2 induces a C-rule ci « C 2 , where Constant{vi) = c\ and Constant{v 2 ) = C 2 - 
With each tuple {Eg, Eg, Er, V, JC, KG) we associate a triple {1C, Ex, Rx), 
where Ex is the set of C-equalities and Rx is the set of D and C-rules extracted 
from the graph G specified by the first four components of the given tuple. Thus, 
with the initial graph we associate a triple {K-g, Exg, Rxg), where Rxg is empty 
and Exg represents the same equational theory over A-terms as the given set of 
equations E. The goal is to obtain a triple (/C„, Exn, Rxn), where Exn is empty 
and Rxn is an abstract congruence closure of E. 

3.4 Correctness 

The following can be established: 

— Exhaustive application of the graph transformation rules is sound in that 
the equational theory represented over A-terms does not change. 

— Exhaustive application of the graph transformation rules terminates. This 
can be proved by assigning a suitable weight to graphs that decreases with 
each application of a transformation rule. 

— Exhaustive application of the rules is complete in that the rewrite system 
that can be extracted from the final graph is convergent and an abstract con- 
gruence closure for E. (If the optional RRin rule has been applied exhaus- 
tively, the final rewrite system over the extended signature is right-reduced.) 

® We essentially begin with the same graph as the Nelson-Oppen procedure, as de- 
scribed in the abstract congrnence closure framework [2, 3]. 
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Fig. 1. Orient, SR, RRout and RRin graph transformation rules 
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4 Rewrite System over the Original Signature 

In this section we explain how to obtain a convergent rewrite system over the 
original signature S (independent from the ordering on constants of /C) from a 
graph G saturated with respect to Orient, SR, RRout, RRin and Merge. Basi- 
cally, at this point, constructing the convergent rewrite system over S from G 
consists of eliminating the constants of /C from G. Indeed, the constants of 1C are 
“names” of equivalence classes, and the same equivalence class may have several 
“names.” There are two methods. The first method works on the convergent 
rewrite system over S U K, extracted from G. Redundant constants (constants 
appearing on the left-hand side of a (7 rules) are eliminating by applications 
of compression rules and non-redundant constants are eliminated by selection 
rules as described in [2,3]. The second method, that we propose in this article, 
permits us to work directly and only on the graph G, by transforming the graph 
in a way reminiscent of the compression and selection rules. We define the no- 
tion of redundant constants on a saturated graph with respect to Orient, SR, 
RRout, RRin and Merge, and introduce three mandatory graph transformation 
rules: Compression, Selection 1 and Selection2. These inference rules eliminate 
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constants from /C, and redirect R and S edges. They also remove cycles of S 
edges from the graph. Their exhaustive nondeterministic application produces a 
DAG representing a convergent rewrite system over the original signature. The 
graph data structure permits us to visualize in parallel what happens on the 
original and extended signatures. For example, the Selection 1 rule redirects R 
edges that were oriented in the “wrong” way during the abstract congruence 
process. Indeed, if we need to redirect an R edge, it means that the ordering on 
the constants of 1C that was used or constructed “on the fly” is in contradiction 
with any ordering on terms of 

4.1 Graph-Based Inference Rules 

Definition 2. A constant cq of K- labeling a vertex with an incident outgoing R 
edge is called redundant. 

The Compression, Selection 1 and Selection ^ rules are provided in Figure 3. 
Redundant constants of K. are eliminated by the Compression rule. Both Selec- 
tion 1 and Selection 2 implement the original selection rule of [2,3]. Selection 
1 is implemented by finding an R edge from a vertex v representing a term t 
of R{S) (i.e. all the vertices reachable from v following S edges are labeled by 
constants of S only) to a vertex labeled by a non redundant constant cq of JC 
on the graph, inversing the direction of this R edge, redirecting all the incoming 
S and R edges incident to cq to v, and eliminating cq from the graph. Hence, it 
consists of picking a representative term t over S for the equivalence class of cq. 
Selection 2 is described as follows. If a vertex v is labeled by a constant cq of JC, 
and all the vertices reachable from v following S edges are labeled by constants 
of S only, then the constant cq of JC is eliminated from the graph. A particular 
case of this rule occurs when a vertex is labeled by a constant Cq of JC and a 
constant c of A. 

4.2 Correctness 

When applying Compression, Selection 1 and Selection 2, the graph is in its 
maximal structure sharing form. It can be represented by a state {JC, R), where 
1C is the set of constants disjoint from A labeling the vertices of the graph, 
and R is the set of rewrite rules read from the graph over A U /C. We use the 
symbol h to denote the one-step transformation relation on states induced by 
Compression, Selection 1, and Selection 2. A derivation is a sequence of states 
(/Co, i?o) 1“ (/Cl, i?i) h . . . , and JCi C JCj for / > j > 0. We call a state (/C, R) 
final, if no mandatory transformation rules {Compression, Selection 1, Selection 
2) are applicable to this state. We prove that the Compression, Selection 1 and 
Selection 2 are sound in that the equational theory represented over A-terms 
does not change. If there is a constant of JC labeling a vertex of the graph, then 
either Compression, Selection 1 or Selection 2 can be applied, and the exhaustive 
application of Compression, Selection 1 and Selection 2 terminates. The termi- 
nation is easily shown because the application of Compression, Selection 1 or 
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Fig. 3. Compression, Selection 1 and Selection 2 graph transformation rules 



Selection 2 reduces the number of constants of K. by one. The final state of a 
derivation describes a DAG labeled by constants of E only, that does not contain 
cycles of S edges, and, represents a convergent rewrite system over E. 

5 Examples 

Example 1. Figure 4 a) presents the construction of DAG{E), where 
E = {/(/(/(a))) « a, fif la)) « a, g{c,c) « /(a), g{c,h{a)) « g{c,c), c « 
h{a), b « m(/(a))}. K. = {ci, . . . , cio}. We apply all the following mandatory 
transformations on DAG{E) in a certain order constructing the order on the 
constants of K. “on the fly.” Orient orients the E edge between ci and C4 into an 
R edge from C4 to ci (04 >- ci), and the E edge between ci and C3 into an R edge 
from Cl to C3 (ci C3). We can apply an SR transformation that replaces the 
S edge from C2 to C3 by an S edge from C2 to ci. Let C2 >- C4. We merge C2 and 
C4; C2 is removed from the graph, the S edges between C2 and C3 are removed. 
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Fig. 4. a) Initial DAG for E = {/(/(/(a))) « a, f{f{a)) « a, g{c,c) « 
/(a), g{c,h{a)) « g{c,c), c « h{a), b « m(/(a))}, b) Satnrated graph for E on 
the extended signature, c) DAG on the original signature 



the E edge from cq to C2 is replaced by an E edge from cq to C3, and a self- loop 
composed of an S edge is added from C3 to itself. C4 and C3 can be merged, and C4 
is removed from the graph (04 C3). The S edge between C4 and C3 is removed 

from the graph, and the R edge from C4 to ci is simply removed, because there 
is already an R edge from ci to C3. We orient the E edge between cio and cg 
from cio to cg (cig Cg), the E edge between C7 and cg from cy to C5 (cy cg), 
and the E edge between cq and C3 from cg to C3 (ce C3), and the E edge 
between Cg and cq from cg to cg (cg cg). We can apply an SR transformation 
that adds an S edge from cg to cg, and removes the S edge from cg to cy. cg 
and Cg are merged, and cg is removed from the graph. The R edge between cg 
and Cg is removed from the graph. We obtain the saturated graph labeled by 
{ci, C3, C5, C6, Cy, Cg, cig} such that {cg C3, Cy C5, Ci C3, cig Cg} presented 
in Figure 4 b). The convergent rewrite system over the extended signature is: 

{cy ^ C5, Cg ^ C3, Cl ^ C3, Cio ^ Cg, C ^ C5, a ^ Ci, b ^ Cg, /l(c3) ^ 
Cy, 5(c5,cs) ^ C6, /(cg) ^ C3, m^cs) Cioj. By applying Compression for the 
redundant constants cio, cy, cq and ci. Selection 2 to eliminate cg and cg, and 
Selection 1 to eliminate cg, we obtain {h{a) c, g(c, c) ^ a, /(a) ^ a, m{a) 
b}, the convergent rewrite system over E that we read from 4 c). 



Example 2. Figure 5 presents the constructions of a) DAG{E) where E = 
{f{a,b) « a}, and its saturated counter-parts following two strategies. In b). 
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Fig. 5. a) Initial DAG for E = {/(a, b) « o}, b) Saturated graph for E with cs ^ ci, 
c) Saturated graph for E with ci ^ cs, aud d) DAG on the original signature 



C3 Cl and in c), ci C3. In c), there is a self- loop composed of an S 
edge. The two saturated graphs with respect to Orient, SR, RRout, RRin and 
Merge are labeled by {01,02,03}. In b), the rewrite system on the extended 
signature is {/(ci,C2) ^ 03, 03 ^ ci, a ^ ci, b 02}, and in c), it is 
1/(03,02) ^ C3, Cl ^03, a ^ Cl, b C2}. Both saturated graphs generate 
the DAG d) on the original signature representing {/(a, 6) ^ a}. 



6 Complexity Results and Implementation 

Our algorithms to obtain rewrite systems over extended and original signatures 
use only polynomial space to store the rewrite systems. Let n be the number of 
vertices of the initial DAG. During the abstract congruence process, there can 
only be subterm edges, and n(n — l)/2 equality and rewrite edges, because 
an edge can only be added once to a graph, and there are never two equality or 
rewrite edges between the same vertices (because of the ordering on the constants 
of /C.) Moreover, the number of vertices can only decrease (as a result of merging) . 

In comparing our graph-based approach with the logic-based approach of [2, 
3], we find that graphs support full structure sharing and consequently our ap- 
proach will tend to lead to fewer applications of transformation rules than cor- 
responding applications of logical inference rules in the standard method. This 
by itself does not imply that our approach will be more efficient as full struc- 
ture sharing depends on systematic application of the Merge rule, which can be 
expensive. 

Efficient implementations of congruence closure require specialized data 
structures. Also, abstract congruence closure efficiency is parametrized by the 
choice or construction “on the ffy” of the ordering on the constants of /C. In 
our case, E edges are oriented into R edges using this ordering. There exist 
naive ways to choose the ordering. For example, we can use a total and linear 
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ordering on the constants of 1C. There is a tradeoff between the effort spent in 
constructing an ordering, the time spent in comparing two constants, and the 
lengths of derivations (number of graph transformations) . The graph data struc- 
ture permits us to understand the influence of the ordering on the length of 
any derivation, and to construct “on the fly” orderings that control the number 
of inferences. It suggests new efficient procedures for constructing efficient ab- 
stract congruence closures. Indeed, the number of times we apply SR and RRout 
depends on how we apply Orient. Applying an RRout rule can create an SR 
configuration; so we would orient an E edge in the direction that creates the 
less SR and RRout configurations. Merge configurations can be created after 
the application of an SR rule. 

When constructing the ordering, we do not allow backtracking, so we are 
only interested in feasible orderings, i.e. orderings that will produce unfailing 
derivations, i.e. derivations terminating with a saturated graph (as defined in 
definition 1). Starting from an initial state representing the initial DAG, the 
maximal derivation is in 0{nS), where n is the number of vertices of the initial 
DAG, and 6 is the depth of the ordering (i.e. the longest chain cq ^ ci y ... y 
cs.) So, any maximal derivation starting from an initial state is bounded by a 
quadratic upper bound. Indeed, any total and linear order is feasible and can be 
used. There exits a feasible ordering with smaller depth that can be computed 
“on the fly,” and produces a maximal derivation of length n log{n) [2, 3]. This 
ordering is based on orienting an E edge from vq to vi if the number of elements 
of the equivalence class of Constant{vo) is less than or equal to the number 
of elements of the equivalence class of the C onstant{v\) . This can be applied 
only if all RRout and RRin inference rules have been processed for vq and v\. 
The number of elements in an equivalence class of a constant Constantfv) is 
computed by counting the number of incoming R edges in a vertex v. 

A first implementation of our method is available for online experimentation 
at: http://www.csis.pace.edu/~scharff/CC. It is written in java, and uses 
java servlets, and XML. The implemented system contains (i) a parsing com- 
ponent that also transforms a given set of equalities into a DAG, (ii) a graph 
component that manages the graph, and (iii) an inferences component that deals 
with the application of the transformation rules. In particular, the strategy for 
application of rules is coded in XML, and therefore, is modifiable. An efficient 
strategy applies simplifications before orienting equalities (one at a time): 

{Orient . {{SR . Merge)*)* . {RRout . RRin . {{SR . Merge)*)*)*)* ^ 

The ordering that is used in the implementation is a total and linear ordering. 
Given a signature and a set of equalities, the system displays the initial C equal- 
ities and D rules, the convergent rewrite system over the extended signature and 
the convergent rewrite system over the original signature. Some statistics results 
are also provided: the number of inferences of each type, and the processing 
times. 



^ * means that the strategy is applied 0 or more times. X . Y means that Y is applied 
after X. 
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7 Conclusion and Future Work 

We have presented a new graph-based method for constructing a congruence clo- 
sure of a given set of ground equalities. The method combines the key ideas of 
two approaches, completion and standard congruence closure, in a natural way 
by relying on a data structure, called “SER graphs,” that represents a special- 
ized and optimized version of the more general, but less efficient, SOUR-graphs. 
We believe that our approach allows for efficient implementations and a visual 
presentation that better illuminates the basic ideas underlying the construction 
of congruence closures. In particular it clarifies the role of original and extended 
signatures and the impact of rewrite techniques for ordering equalities. Our ap- 
proach should therefore be suitable for educational purposes. 

A first implementation of our method is available. The method we described 
processes all equalities at once during construction of the initial graph. It is rel- 
atively straightforward to devise a more flexible, incremental approach, in which 
equalities are processed one at a time. Once the first equality is represented by a 
graph, transformation rules are applied until a “partial” congruence closure has 
been obtained. Then the next equation is processed by extending the current 
graph to represent any new subterms, followed by another round of graph trans- 
formations. This process continues until all equations have been processed. An 
advantage of the incremental approach is that simplifying graph transformations 
can be applied earlier. We expect to make implementations of both incremental 
and non-incremental available. 
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Abstract. Nonlinear constraint systems can be solved by combining 
consistency techniques and search. In this approach, the search space is 
reduced using local reasoning on constraints. However, local computa- 
tions may lead to slow convergences. In order to handle this problem, we 
introduce a symbolic technique to combine nonlinear constraints. Such 
redundant constraints are further simplified according to the precision of 
interval computations. As a consequence, constraint reasoning becomes 
tighter and the solving process faster. The efficiency of this approach is 
shown using experimental results from a prototype. 

Keywords: Interval arithmetic, numerical constraint, local consistency, 
symbolic algorithm, redundant constraint. 



1 Introduction 

The problem of solving a conjunction - a system ~ of nonlinear constraints over 
the real numbers is uncomputable in general [3]. Only approximations may be 
computed using machine numbers. Interval arithmetic [14] provides a set of op- 
erations over interval numbers. In this framework, every real quantity is enclosed 
by an interval. The general interval-based algorithm for solving nonlinear con- 
straint systems is a bisection process. The search space, defined by the Cartesian 
product of variable domains, is recursively bisected and reduced until a desired 
precision is reached. Unfortunately the problem of approximating a constraint 
system using interval numbers is intractable in general. 

Local consistency techniques are tractable algorithms that may accelerate 
the bisection algorithm [13,12]. Basically, the search space may be reduced using 
constraint projections on variables. Given a variable occurring in a constraint 
the projection is the set of values that may be assigned to the variable such 
that the constraint can be satisfied. These values are said to be consistent. It 
follows that the complementary set (the inconsistent values) can be removed 
from the variable domain. Such domain reductions have to be iterated until 
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reaching quiescence. Unfortunately, these techniques may be weak, since some 
constraint projection may be less precise than the projection of the solution set. 

The locality problem of projection-based reasonings can be handled in sev- 
eral ways, one of which being the symbolic combination of constraints [1]. The 
purpose is to eliminate variables in order to concentrate global information of 
the system in a smaller set of variables. As a consequence, local reasoning over 
the new constraints may derive global information. In this paper, we propose to 
improve consistency reasonings by means of redundant constraints [16], as shown 
in the following example (which is very simple for the sake of comprehension). 

Example 1. Let x and y be two variables lying in the real interval [—10,10]. 
Consider the following constraint systems: 

p^{xy = i p> = =1 

\xy = 2 \xysm{y) = 2 

It is worth noticing that variable domains cannot be reduced using projections, 
e.g., for every value of x (take x = 2), there exists a value of y such that xy = 1 
(here y = 0.5). The same conclusions are obtained for y and the second con- 
straint. However, these problems are not satisfiable, which can be easily verified. 
The term xy is equal to two terms in P, whose evaluations are not compatible 
(1 yf 2). As a consequence, P is not satisfiable. The division of the left-hand 
terms of equations from P' must be equal to the division of right-hand terms. 
Now simplify the result to derive sin(y) = 2. Since a sine cannot be greater than 
1, then P' is not satisfiable. 

Example 1 shows that the combination of terms introduces more global reason- 
ings in the process of solving nonlinear constraint systems. The first, well-known, 
idea is to share projections on terms, not only on variables. The second idea is 
to combine terms using symbolic transformations. This approach can be seen as 
a form of microscopic redundant computations, which may work for equations 
or inequalities. Since nonlinear constraints cannot be simplified in general, only 
well-chosen terms have to be combined. 

In the following, we will focus on box consistency [2], the local consistency 
technique implemented in Numerica [17]. Box consistency is a basis for approx- 
imating constraint projections using interval numbers. The first contribution 
of this paper is the generalization of the definition of box consistency to pro- 
cess projections on terms. The second contribution is the combination technique 
used to generate redundant constraints that may improve box consistency. An 
implementation has been done in RealPaver [6]. Encouraging experimental re- 
sults have been obtained on a set of known problems from different application 
domains. 

The rest of this paper is organized as follows. Section 2 presents the basics 
related to numerical constraints and interval constraint solving. The main con- 
tributions are introduced in Section 3. The experimental results are discussed 
in Section 4. Last, Section 5 summarizes the contributions and points out some 
directions for future research. 
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2 Preliminaries 

2.1 Formulas 

Let be the usual real-based structure where the set of real numbers K is 
associated with arithmetic operations, elementary functions and equality and 
inequality relations. Formulas are written using a first-order language L defined 
by an infinite countable set of variables {xi,X 2 , • ■ • } and a set of symbols with 
arities, namely constants, functions and relations. In the following, we will use 
the same symbols to denote the elements of I7 r and the symbols of L. 

A term is a syntactic expression built by induction from variables, constants 
and function symbols of L. A constraint is an atomic formula of the form / cxi g 
where / and g are terms and ixi is a relation symbol. A formula is defined by 
induction from constraints, connectives and quantifiers. In the following, formu- 
las will be written with the variables xi, . . . , a;„, the natural n being arbitrarily 
large. Given a syntactic element S, the set of variables occurring in S is denoted 
by Var(S'), and the notation S{xi, . . . ,Xn) will mean that the sets Var(S') and 
{x\, . . . , Xn} are identical. The number of occurrences of any variable Xi in S will 
be denoted by mult (S', Xi). Given two terms / and g and a term h occurring in 
/, let /[ft- <— g] denote the term obtained from / by replacing all the occurrences 
of ft with g. Let T be the set of terms. 

Evaluating a term f(xi,...,Xn) in the domain K consists in assigning a 
value Oi G M to each variable Xi and applying the functions of Ar that corre- 
spond to the symbols. The satisfaction of a constraint C{xi, . . . ,Xn) requires 
evaluating terms and verifying the relation. If the relation is verified then the 
tuple (ai, . . . , a„) is a solution of C in the domain K. Let /r and Cr respectively 
denote the mapping from K” to M corresponding to the evaluation of / and the 
relation of K" defined by the set of solutions of G in K. 

A conjunction of constraints is a formula F{x\ ,Xn) of the form Gi A • • • A 
Cm- The satisfaction of F consists in assigning a value G K to each variable 
Xi and verifying that all constraints Cj are satisfied. If the formula is satisfied 
then the tuple (oi, . . . , a„) is a solution of F in the domain K. Let Fr denote the 
relation of K” defined by the set of solutions of F in K. In the following, only 
conjunctions of constraints will be considered, and a solution in K will simply 
be called solution. 

2.2 Interval Arithmetic 

Interval arithmetic [14,9] can be used to conservatively enclose the solutions of 
formulas by Gartesian products of intervals. Interval computations are done in an 
interval-based structure Sf. This structure can be defined by an homomorphism 
fi from Fr to Fi, as follows. The notations /r, Gr and Fr used with the domain 
K will simply be changed into /i, Gi and Fj. 

Constants. Gonsider the set of floating-point numbers F defined by the IEEE 
standard [10] and the set of intervals I whose bounds are in F. Let [/, /] denote 
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the interval I defined by the set The standard defines two 

rounding operations that associate to each real number a the closest fioating- 
point numbers [aj and [a] such that [aj ^ a ^ [a]. These operations enable 
the computation of the convex hull of every set of real numbers A, defined 
by the interval: \3A = [[infAJ, [sup A]]. Then /r maps every real number a 
to the interval □{a}. The membership, union and intersection operations in I 
are naturally extended to interval vectors. It is worth noticing that an interval 
vector D = {Di, . . . , £)„) is a machine representation of the box Di x ■ ■ ■ x Dn- 
In the following, interval vectors and associated Cartesian products will simply 
be called boxes. 

Terms. Interval arithmetic is a reliable extension of real arithmetic in the sense 
that every interval computation results in a superset of the result of the corre- 
sponding real computation. Arithmetic operations and elementary functions are 
implemented by computation over interval bounds according to monotonicity 
properties. For instance, given two intervals I = [a,b] and J = [c, d], /x maps 
the addition and subtraction operations and the exponential function to the 
following interval functions: 

( I+J = [[a -I- cj, [6-1- d]] 

< /- J = [[a-dj,[6-c]] 

[exp(J) = [[exp(a)J, [exp(6)]] 

It is worth noticing that term evaluation in Ei exactly corresponds to the appli- 
cation of an interval function called natural form. The main result from interval 
arithmetic is the following inclusion theorem: 

Theorem 1. Consider a term f{xi, . . . , a;„). Then for all D G I” the following 
property holds: 

■ ■ ■ 5 O-n) I ^ ^ C y*][[T)x, . . . , Dyi). 

Informally speaking, the evaluation of fi is a superset of the range of /r on the 
domain D. 

Constraints. The interval versions of relations originate from an existential ex- 
tension of real relations. For instance, given two intervals / = [a, 6] and J = [c, d], 
/i maps equations and inequalities to the following predicates: 

( I = J 3u G I 3v G J : u = V max(a, c) ^ min(6, d) 

[ / ^ J 3u G I 3v G J : u ^ V a ^ d 

Constraint satisfaction in Ej uses natural forms of terms and existential exten- 
sions of relations. The aim is to compute reliable approximations of constraint 
solutions, which leads to the following theorem: 

Theorem 2. Consider a constraint C{x\, . . . ,Xn). Then for all D gV^ we have: 
3q.i G d?! . . . 3qji G Dji . (ui, ... 5 Un) ^ Cr y • • • J G C\. 
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Informally speaking, each box containing a solution of (7 in K must be included 
in the interval relation. As a consequence, the approximation does not lose any 
solution. Methods based on constraint satisfaction in S\ are said to be complete. 

Notations. Given a box D and a term / (resp. a constraint C) such that each of 
its variables has a domain in D, let (resp. D\c) be the restriction of D to the 
variables of / (resp. C). In the following, we will simply write fi{D) {D G Cj) 
for fi{D\f) (resp. £>|c G Ci). 



2.3 Numeric Constraints 

A numerical constraint satisfaction problem (NCSP) is given by a conjunction 
of constraints F{xi , . . . , x„) of the form: 

Cl A • • • A Cm A xi^ a\ A ^ 6i A • • • A Xn ^ an A Xn ^b„ 

NCSPs can be solved by a bisection algorithm, which maintains a set of boxes. 
The initial box is given by the variable domains. Boxes are processed by split- 
ting and narrowing operations. A splitting step transforms a box into a set of 
smaller boxes whose union is equivalent. A narrowing operation reduces a box 
by removing facets that are solution- free. The output is a set of boxes whose 
union is a superset of the set of solutions of the NCSP. 



2.4 Narrowing 

A basic narrowing procedure consists in using constraint satisfaction in the in- 
terval structure. Given a box, if at least one constraint is not satisfied then the 
whole NCSP cannot be satisfied. By Theorem 2, it follows that it cannot be 
satisfied in the real structure. As a consequence, the box can be rejected. Unfor- 
tunately this method is weak since a free-solution space needs to be completely 
isolated by splitting before being eliminated. 

A more powerful approach is based on constraint projections. In the con- 
straint programming literature [12], projections have been defined to determine 
the allowed values of one variable in order to satisfy one constraint in the real 
domain. More precisely, given a constraint C{xi, . . . ,x„), a box D G I" and a 
variable Xi occurring in C, the projection of C on Xi in D is the set of real 
numbers 



FxiiC, D) — {ui G Di I 3ai G Di, . . . , 3ai_i G Di-i, 

G , . . . , 3an G Dn . 

(oi, . . . , a„) G Cr}. 

The definition of projections is naturally extended to conjunctions of constraints 
by considering that all constraints have to be satisfied. In most solving engines of 
existing solvers, only one constraint is used during a narrowing operation. That 
leads to the locality problem, which is the main concern of our work. Given a 
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box D, a variable Xi and two constraints C and C' the following inclusion holds, 
though the equality is not verified in general: 

n^,{CAC',D)cn^^{c,D)nn^,{c',D) (i) 

Example 2. Consider the NCSP defined by two constraints C : x\ + x^ = Q and 
C : X\ — X 2 = Q and the box D = [—1, 1]^. The projections over x\ are as follows: 

77,, (C A C', D) = [0, 0] C [-1, 1] = 7T„ (C, D) = 77„ (C', D) 

The problem of processing existential quantifications in the definition of pro- 
jections is intractable. A main idea is then to implement constraint satisfaction 
in the interval domain, which leads to the narrowing procedure called box con- 
sistency [2] . In the following, the restriction of the original definition to natural 
forms is given: 

Definition 1 (Box consistency). Consider a constraint C(xi, . . . , Xn), a box 
77 G I” and a natural i that belongs to the set {1, . . . , n}. The domain Di is said 
to be box consistent wrt. C if we have: 

Di = Dla G Di I (77i, . . . , Di-i,C\{a}, 77i+i, . . . , 77„) G Ci} 

The corresponding narrowing procedure allows one to reduce the domain Di if 
the equality is not verified, using the following operation: 

9 : {xi, C, D) i-s- Dla G Di \ (7?i, . . . , 77i_i, □{a}, 77i_|_i, . . . , Dn) G Ci} 

This operation computes an approximation of the projection of C on a;, in 77. 
The narrowing procedure is complete, since the computed domain encloses the 
corresponding projection, that is: 

77,,(C,77) C0(x„C,77) (2) 

However the resulting interval may be arbitrarily large wrt. the projection. This 
is closely related to the dependency problem of interval arithmetic, which leads 
to weak interval computations [8] . 

3 Symbolic-Numeric Techniques 

Box consistency and projections have been defined wrt. the variables. Noticing 
that variables are instances of terms leads to generalize these notions. 

Definition 2 (Box consistency on terms). Let C{xi , . . . , a;„) be a constraint. 
Consider a box 77 G I” and a term f occurring in C . Let Xn+i be a fresh variable 
and let the constraint C be C[f <— x„+i]. The domain fi{D) is said to be box 
consistent wrt. C if we have: 

/i(77) = n{a G /i(77) | (77i, . . . , 77„, Dla}) G C;| 
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If the domain of term / is not box consistent then it may be reduced by means 
of the narrowing operation 9{f,C,D). By Theorem 1 the reduced domain must 
be a superset of the range of /r on D. 

Box consistency is a method for bounding the range of a term over a domain. 
Given a term / and an interval /, let f € I denote a projection constraint, which 
means that the range of /r over the current domain must be included in I. We 
will assume in this section that there exist efficient algorithms able to compute 
such an interval I. An effective implementation will be described in Section 4. 

In the following projection constraints will be considered as first-class con- 
straints. The purpose of our work is to combine projection constraints in order 
to handle the locality problem for the variables occurring in /. 

3.1 Term Sharing 

The first idea, which may be considered as a well-known result, is to share terms 
in NCSPs. It suffices to represent the set of constraint expressions as a Directed 
Acyclic Graph. As a consequence, intersections of domains do not only happen 
at variable nodes but also at non-variable term nodes. The following lemma 
shows that projections of different constraints on the same term just need to be 
intersected to reduce its domain of possible values. 

Lemma 1. Let f be a term and let I and J he two intervals. Then we have: 

f€lAfe J /€/n J 

This technique is a first approach to handle the locality problem. As shown in 
the introduction and in the following example, which corresponds to the use of a 
redundant equation. However the redundant equation has not to be represented 
since the reductions are directly obtained in the DAG. 

Example 3. Gonsider the conjunction of constraint 

cos(a;?/) = 2 sin(a;) A cos{xy) + cos{y) = 0 

in the box [—10, 10]^. The application of a bisection algorithm at the maximal 
machine precision leads to the generation of about 1.5 • 10^ boxes and to the 
evaluation of 3 • 10® interval operations. If the term cos(xy) is shared then the 
number of boxes decreases to 1.5T0® and the number of evaluations is 5T0^. The 
gain is more than one order of magnitude on this problem. In fact sharing the 
term cos{xy) is equivalent to using the redundant constraint 2 sin(a:)-|-cos(y) = 0. 

3.2 Term Combination 

The second idea is to mimic elimination procedures for linear and polynomial 
systems of equations. The goal is to derive redundant constraints which may 
improve the precision of consistency computations and the computation time. 
These remarks led us to the following motivations: combination of terms which 
can be simplified and reuse of already computed intervals for terms. The notion 
of combination function is well-known for linear terms or S-polynomials [5,3]. 
We give now a general definition to cope with nonlinear combinations. 
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Definition 3. (Combination function). Let 4>{u,v) he a term in which u and v 
occur only once. The underlying combination function ip is defined as follows: 

( T2 ^ T 

^ f,v^ g] 

In the following every function p will be supposed to be associated with a term 
4>, even if (f> is not mentioned. These functions are used to process projection 
constraints of the form f G I. The combination method is described in the 
following lemma, the result being a redundant constraint. 

Lemma 2. Let f and g be two terms and let I and J he two intervals. Given a 
combination function p, the following relation holds: 

f € I Ag e J p{f, g) G 0i(/, J) 

The previous lemma is interesting since it shows how to introduce a redundant 
constraint. Terms / and g are combined by p and the evaluation of on (/, J) 
gives a range of the redundant term p{f, g). However, the following lemma shows 
that this redundancy is useless for box consistency computations. 

Lemma 3. Let D he a box and let p he a combination function. Let C : f € I 
and C : g G J he two projection constraints such that fi{D) is box consistent 
wrt. C and gi{D) is box consistent wrt. C . Lf C” is the redundant constraint 
defined by p{f,g) G (j)i{I,J) then fi{D) and gi{D) are box consistent wrt. C" . 

The previous lemma shows that the redundant constraint does not allow to 
reduce the domain of / since it is already box consistent. As a consequence, the 
redundancy is useless. The next step introduces a simplification process. 

3.3 Term Simplification 

Simplification procedures are generally associated with two properties. Firstly, 
the equivalence of terms in the domain R must be preserved. Secondly, rewritten 
terms have to be adapted for further computations. The first property is the basis 
of the following definition. 

Definition 4. (Simplifieation function). A simplification function ip is a func- 
tion on terms such that for all /(xi, . . . ,Xn) G T, the set of variables occurring 
in 4>{f) is included in {a;i, . . . , x„} and the following formula is true in the real 
structure: 

Va;i . ..Wxn f = ipif) 

The main idea is to simplify left-hand terms of redundant projection constraints. 
The following lemma shows that the redundancy property (Lemma 2) is pre- 
served by simplification. 

Lemma 4. Let f G I and g G J be two projection constraints. Given a combi- 
nation function p and a simplification function ip, the following relation holds: 



fGlAgGJ tp{p{f,g)) G 




126 



L. Granvilliers and M. Ouabiba 



The following lemma provides a sufficient condition for defining efficient simplifi- 
cation functions. The aim is to derive more precise interval functions. Given two 
terms / and g, g is said to be more precise than / if for all D G I”, gi{D) C fi{D) 
holds. This relation defines a partial ordering ^ on terms (here we have g ^ f)- 

Lemma 5. Let f{x\, . . . ,Xn) he a term and let g he a term resulting from a 
simplification of f . Let Xi he a variable occurring in f and g. Suppose that g is 
more precise than f . Then for every interval L and every hox D the following 
result holds: 

0{xi,g e I,D) C 9{xi, f e I, D) 

The dependency problem of interval arithmetic underlines the weakness of 
interval evaluation wrt. multiple occurrences of variables [14]. More precisely, 
two occurrences of one variable are processed as two different variables. As a 
consequence, there is no elimination of values as in the domain of real numbers. In 
this paper, we define the simplification procedure as an application in sequence of 
elementary rules supposed to handle the dependency problem. A non exhaustive 
set of rules is given below^, where /, g and h are terms: 

{ exp : e-^/e® ^ 

lin : fg + fh f{g + h) 

div : fg/fh g/h 

It can be shown that each rule / — > g is such that g ^ /.In particular the second 
one looks like the sub-distributivity property of interval arithmetic. Moreover, 
every sequence of application of rules is finite. It suffices to remark that the 
number of symbols in rewritten terms strictly decreases. 

Example 4- Consider the NCSP X 2 exp(— 2.5xi) = 0.85 A X 2 exp(— 1.5xi) = 1.25 
given the box [0, 1] x [0, 10]. Constraint propagation leads to slow convergence. 
This behavior is illustrated in Figure 1 where X 2 is expressed as a function of x\. 
The initial box is first reduced at the upper bound of X 2 using g 2 ~. the eliminated 
box contains no solution of the second constraint, i.e., no point of g 2 - Then the 
upper bound of x\ is contracted using gi, and so on. 

The two constraints can be combined and simplified as follows: 

a ;2 exp(— 2.5xi) _ 0.85 mv exp(— 2.5 xi) _ 0.85 exp 
a ;2 exp(— 1.5xi) 1.25 exp(— 1.5xi) 1.25 

exp(-2.5xi -b 1.5xi) = exp(-xi) = 

If the redundant constraint is added in the NCSP, a gain of more than one order 
of magnitude is obtained in the solving process using box consistency. The result 
is the box [0.38566248,0.38566249] x [2.2291877,2.2291878]. 

Due to a lack of space, only the rules that are used in the experimentations are given. 



1 
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Fig. 1. Slow convergence in constraint propagation. 



4 Implementation and Results 

An implementation has been realized in RealPaver. In the following we give 
details of the encoding of constraint projections. In order to illustrate the effects 
of our approach in consistency reasonings, a set of experimental results is also 
discussed. 

4.1 Implementation Details 

First of all let us note that every constraint can be expressed as a projection 
constraint: / = 0 corresponds to / S [0,0] and / < 0 to / € [— oo,0j. Projec- 
tions on terms are computed by the HC4revise algorithm, which is a chain rule 
enforcing elementary constraint inversion steps [7]. 

Example 5. Let / be a term and let C be the constraint {f + y) — 1 = 0. Given 
the box [—10, 10]^ let us implement HC4revise to compute an interval / such 
that the projection constraint / € / holds. Constraint C is rewritten as the 
projection constraint (/ + J/) — 1 € [0, 0]. The first inversion step eliminates the 
minus operation: f + y G [0, 0] -P 1 = [1, 1]. The second inversion step removes 
the plus operation: / G [1, 1] — y and y is replaced with its domain: / G [—9, 11]. 
Now, given the constraint / G [—9, 11] box consistency may be enforced over /. 

Given two projection constraints / G / and g & J every redundant constraint 
G J) is represented as follows. Term ■, g)) is represented in 
explicit form in the DAG. J) is implemented as an interval function taking 
as input the intervals I and J available at the root nodes of / and g in the 
DAG. This function is located in the root node of term g)). This way </>i 

is evaluated as fast as possible and memory consumption is kept in reasonable 
bounds. If the expression of tjj{ip{f,g)) is simple then the computation of box 
consistency may be precise and cheap. 
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4.2 Experimental Results 

This section reports the results of the term sharing and the term combination 
procedures. For the experimental tests, we have used some known problems 
from the numerical analysis and interval analysis communities. All the problems 
were solved by a bisection algorithm with a precision of output boxes of 10“^°. 
The experiments have been conducted on a Linux/PC Pentium III 933MHz. 
The description of test problems follows. Every variable whose domain is not 
explicitely mentioned lies in the interval [—100, 100]. 

1. Brown’s almost linear problem [11]: 

f + X[”=i Xj = n + 1 l<z<n— 1 

in;=i^. = i 

In the system, the sum of variables can be shared and represented only once. 

2. Extended Wood Problem [15] (1 ^ z ^ n): 

{ —200xi(xi+i — xf) — (1 — Xi) = 0 mod (z, 4) = 1 

200(a;i — + 20(xi — 1) + 19.8(a;i+2 — 1) = 0 mod (z,4) = 2 

— 180a;i(a;i+i — xf) — (1 — Xi) = 0 mod (z, 4) = 3 

180(a;i - J + 20.2(cci - 1) + 19.8(a;i_2 - 1) = 0 mod (z, 4) = 0 

Terms (xi+i — xf) and (xi — xf_j^) can be shared in the first two equations 
and in the last two constraints. 

3. Circuit design problem [7] (1 ^ z ^ 4): 

{ X1X3 = X2X4 

(1 - xia:2)a;3(exp(x5(aii - a^iXr - a 5 iXs)) - 1) = 05^ - 04^0:2 
(1 - xia:2)a;4(exp(a;6(aii - a 2 i - a^iXr + a 4 iXg)) - 1) = agiXi - 04* 

The symbols are known coefficients. In this system, it can be observed 
that the term (1 — xia;2) occurs in all but one constraint. 

4. Product problem: 

n 

Xj = i, 1 ^ z ^ rz 

Two consecutive constraints z and z + 1 can be divided and simplified into 
x^+i/xi = ij(i + 1 ). 

5. Extended product problem: 

n 

Xi + Xj = i, 1 ^ z ^ rz 
i=i 

The products from two consecutive constraints z and z + 1 can be eliminated, 
which corresponds to the generation of the redundant constraint i — Xi = 
(z + 1) - x^+i. 
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6. Parameter estimation problem: Parameter estimation is the problem 
of determining the parameters of a model given experimental data. Let us 
consider the following model using exponential sums: 

y{t) = x\ exp(— a; 2 t) + exp(— a; 4 t) + x^ ex\){—x^t) 

In the real-world a series of measures (ti,yi) is known and the aim is to 
determine the Xi’s such that every measure verifies the model. In the fol- 
lowing let us compute the data by simulation. The series of timings is fixed 
as t = (0,1,4,9,16,25,36,49,69,81,100). The exact parameter values are 
defined by (10, 1, —5, 0.1, 1, 0.01) and the yi’s are computed as y{ti). Now let 
us try to compute the parameters values in the box 

[-10^103] X [0.5,2] X [-10^103] X [0.05,0.5] x [-10^103] x [0,0.05]. 

The main idea is to combine terms from the same columns. Given the projec- 
tion constraints Xfe exp(—a;fe+iti) G I and Xk exp{—Xk+itj) G J, the following 
redundant constraint is derived: 

xkexp{-xk+itj) ^ ^ ^ exp{-Xk+iU) ^ ^ 

Xkexp{-Xk+itj) J exp{-xk+itj) J 

exp(a;fe+itj - Xk+iU) G j exp((t^- - ti)xk+i) G j 

The redundant constraint may be used to reduce further the domain of Xk+i- 
Since Xk+i occurs once the reduction may be computed by a direct interval 
expression Xk+i ^ {tj — ti)~^ ■ log(//J). Furthermore the term {tj — ti)~^ 
can be evaluated only once. As a consequence the reduction is very cheap 
since it needs evaluating three interval operations. 

Table 1 summarizes the results. In the table. Name denotes the problem and n 
stands for the number of constraints. The next columns present the computation 
time in seconds and the number of boxes of the solving process for the classical 
bisection algorithm, the bisection algorithm using term sharing and combination, 
and the improvement on the number of boxes. A “?” stands for problems that 
cannot be solved in less than one hour. 

Term sharing transforms Brown’s system as a gentle problem for consistency 
techniques. There is clearly a great interest in sharing complex terms occurring in 
many constraints. The improvement for Wood and Transistor is less impressive 
since only small terms are shared among a subset of constraints. However, the 
improvement is still more than one order of magnitude. 

The product and extended product problems are efficiently solved using term 
combination. In this case, the constraints are simplified enough to greatly im- 
prove constraint processing. The improvement is smaller for the estimation prob- 
lem since the constraints to be combined are complex, and only small parts of 
them are combined and simplified. Our approach is clearly very efficient for 
problems with many small constraints having similar expressions. For the other 
problems, it remains a technique of choice since the process of evaluating the 
new constraints is cheap. 
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Table 1. Experimental results. 



1 Benchmark 


1 Classical method 


1 New method 


Ratio 


Name 


n 


Time 


Box 


Time 


Box 


Box 


Brown 


4 


1 


1018 


0 


76 


13 


Brown 


5 


2 


12 322 


0 


94 


131 


Brown 


6 


43 


183 427 


0 


67 


2 737 


Brown 


7 


1012 


3 519 097 


0 


88 


39 989 


Wood 


4 


1 


3 688 


0 


325 


11 


Wood 


8 


256 


452 590 


3 


4 747 


95 


Wood 


12 


? 


7 


42 


45 751 


7 


Transistor 


9 


1061 


236 833 


130 


23 887 


9 


Product 


3 


1 


52 


0 


31 


1 


Product 


5 


459 


5 698 714 


0 


37 


154 019 


Product 


7 


? 


7 


0 


40 


7 


Extended Product 


3 


1 


3217 


0 


16 


201 


Extended Product 


4 


1346 


19 315 438 


0 


19 


101 660 


Extended Product 


5 


? 


7 


0 


19 


7 


Estimation 


11 


6 


11581 


3 


5 467 


2 



4.3 On Strategies 

A critical component of the algorithm is the strategy for combining terms. The 
first approach is to tune the method according to the problem structure, typically 
exponential sums. This allows one to develop so-called global constraints, namely 
complex constraints associated with specific and efficient algorithms. 

The second approach is to tackle the general problem. In our implemen- 
tation, only consecutive constraints are combined in order to introduce a rea- 
sonable number of new constraints and patterns are determined wrt. specific 
tree-representations of constraints. These limitations have to be relaxed with 
the aim of controling the combinatorial explosion. 



5 Conclusion 

In this paper, we have introduced a general framework for improving consis- 
tency techniques using redundant constraints. Redundancies are obtained by 
combination of terms and simplification according to the precision of interval 
computations. In particular, the well-known problem of processing exponential 
sums arising in mathematical modeling of dynamic systems has been efficiently 
handled. In this case the simplification process follows from the property of the 
exponential function 

The first issue is to design an efficient combination strategy for the general 
problem. For this purpose, the study of term rewriting engines will be useful 
[4]. The second issue is to develop new global constraints, e.g., for geometric 
problems modeled by trigonometric functions. 
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Abstract. Origami (paper folding) has a long tradition in Japan’s cul- 
ture and education. We are developing a computational origami system, 
based on symbolic computation system Mathematica, for performing and 
reasoning about origami on the computer. This system is based on the 
implementation of the six fundamental origami folding steps (origami ax- 
ioms) formulated by Huzita. In this paper, we show how our system per- 
forms origami folds by constraint solving, visualizes each step of origami 
construction, and automatically proves general theorems on the result 
of origami construction using algebraic methods. We illustrate this by a 
simple example of trisecting an angle by origami. The trisection of an 
angle is known to be impossible by means of a ruler and a compass. The 
entire process of computational origami shows nontrivial combination of 
symbolic constraint solving, theorem proving and graphical processing. 



1 Introduction 

Origami is a Japanese traditional art of paper folding. The word origami^ is 
a combined word coming from ori (fold) and kami (paper). For several cen- 
turies, origami has been popular among Japanese common people as an art, 
as playing toys, and teaching material for children. Over a decade, origami is 
now also receiving wide interest among mathematicians, mathematics educators 
and computer scientists, as well as origami artists, as origami poses interesting 
fundamental geometrical questions. 

We are proposing computational origami, as part of a discipline of origami 
science (also coined origamics by Haga, a pioneer in Japanese origami research 

^ Traditionally, the word origami is used to represent a folding paper, the act of paper 
folding or the art of origami. As such, we also use the word origami in a flexible way 
depending on the context. 
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[7]). We believe that the rigor of paper folding and the beauty of origami art- 
works enhance greatly when the paper folding is supported by a computer. In 
our earlier work, computational origami performs paper folding by solving both 
symbolically and numerically certain geometrical constraints, followed by the 
visualization of origami by computer graphics tools. In this paper we extend the 
system for proving the correctness of the origami constructions, as proposed in 
our previous paper [3]. 

Origami is easy to practice. Origami is made even easier with a computer: we 
can construct an origami by calling a sequence of origami folding functions on 
the Mathematica Notebook [12] or by the interaction with our system, running 
in the computing server, using the standard web browser. The constructed final 
result, as well as the results of the intermediate steps, can be visualized and 
manipulated. Moreover, in cases where a proof is needed, the system will produce 
the proof of the correctness of the construction. Namely, for a given sequence 
of origami construction steps and a given property, the system proves that the 
resulting shape will satisfy the property (or disprove the property). 

The rest of the paper is organized as follows. In sections 2 and 3 we present 
a formal treatment of origami construction. In section 4 we discuss a method for 
trisecting an angle by origami, which cannot be made using the traditional ruler- 
and-compass method. The construction is followed by the proof of the correctness 
of the construction in section 5. In section 6 we summarize our contributions and 
point out some directions for future research. 

2 Preliminaries 

In this section we summarize basic notions and notations that are used to ex- 
plain the principles of origami construction. We assume the basic notions from 
elementary Euclidean geometry. 

In our formalism origami is defined as a structure O = (y, 77), where \ is the 
set of faces of the origami, and 77 is a relation on y. Let O be the set of origamis. 
Origami construction is a finite sequence of origamis 0q, 0\^ ...^On with Oq an 
initial origami (usually square paper) and Oi+i = gi{Oi) for some function gi 
defined by a particular fold. 77 is the combination of overlay and neighborhood 
relations on faces, but in this paper we will not elaborate it further. 

A point P is said to be on origami O = (y, 77) if there exists a face A G y 
such that P is on A. Likewise, a line I is said to pass through origami O = (x, 77) 
if there exists a face A € y such that I passes through the interior of A. We 
denote by £ the set of lines, and by V the set of points. The set of points on 
O is denoted by Vo , and the set of lines on O by £q ■ We abuse the notation n 
and G, to denote hy P C\ O ^ (j) (resp. I C\ O ^ (j)) the property that P (resp. 1) 
is on O, and by P G / the property that point P is on line /. 

Furthermore, ’sym’ is the function which computes the symmetric point of a 
given point with respect to a given line, ’dist’ is the function which computes the 
distance between two parallel lines, and ’bisect’ is the function which computes 
the bisector(s) of two lines. 
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3 Principles of Origami Construction 

An origami is to be folded along a specified line on the origami called fold 
line. The line segment of a fold line on the origami is called a crease, since 
the consecutive operation of a fold and an unfold along the same fold line makes 
a crease on the origami. 

A fold line can be determined by the points it passes through or by the points 
(and/or lines) it brings together. As in Euclidean geometry, by specifying points, 
lines, and their configuration, we have the following six basic fold operations 
called origami axioms of Huzita [9, 8]. It is known that Huzita’s origami Axiom 
set is more powerful than the ruler-and-compass method in Euclidean geometry 
[6]. Origami can construct objects that are impossible by the ruler-and-compass 
method [4]. One of them is trisecting an angle, which we will show in this paper, 
as our example of origami proving and solving. 

3.1 Origami Axioms 

Huzita’s origami axioms are described in terms of the following fold operations: 

(01) Given two points P and Q, we can make a fold along the crease passing 
through them. 

( 02 ) Given two points P and Q, we can make a fold to bring one of the points 
onto the other. 

(03) Given two lines m and n, we can make a fold to superpose the two lines. 

(04) Given a point P and a line m, we can make a fold along the crease that 
is perpendicular to m and passes through P. 

(05) Given two points P and Q and a line to, either we can make a fold along 
the crease that passes through Q, such that the fold superposes P onto to, 
or we can determine that the fold is impossible. 

(06) Given two points P and Q and two lines to and n, either we can make a 
fold along the crease, such that the fold superposes P and to, and Q and n, 
simultaneously, or we can determine that the fold is impossible. 

The operational meaning of these axioms is the following: finding crease(s) 
and folding the origami along the crease. 

Let us first formalize the process of finding the creases. Let O be an origami, P 
and Q be points, and /, to and n be lines. The above fold operations can be stated 
by the following logical formulas. They are the basis for the implementation of 
the computational origami system. 



Axiom 2: (sym(P, /) = Q) 



Axiom 1: {P £ f A Q £ f) 




V 

Axiom 3: 



, m,n£Co \f^^O ^ 



V f 3 ((to II n) A (/ II to) A (dist(/,TO) = dist(/,n)))v 
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Axiom 4: V (3 ((/ _L m) A (P G /)) 

PeVo^meCo \feCo 

Axiom 5: V ( (P, Q, m) 3 (((i 

P,QgVo,^^Co \ f^Co 

V ( ^2 (-P, Q, m, n) ^ 

Axiom 6: P^Q^-Po,ra,n^Co \ 

3 ((sym(P, /) G m) A (sym(Q, /) G n)) 
feco 

In Axioms 5 and 6 we have to define the constraints that ensure the existence 
of the fold line on the origami. Conditions and ^2 could be explicitly given 
as boolean combinations of formulas of the form A = 0 or A > 0, where the A’s 
are polynomials in the coordinates of P, Q, m (and n). 

All the axioms have existential sub-formulas, hence the essence of an origami 
construction is finding concrete terms for the existentially quantified variable /. 
Our computational origami system returns the solution both symbolically and 
numerically, depending on the input. 




4 Trisecting an Angle 

We give an example of trisecting an angle in our system. This example shows a 
nontrivial use of Axiom 6. The method of construction is due to H. Abe as de- 
scribed in [6, 5]. In the following, all the operations are performed by Mathemat- 
ica function calls. Optional parameters can be specified by “keyword value" . 

Steps 1 and 2: First, we define a square origami paper, whose corners are des- 
ignated by the points A, B, C and D. The size may be arbitrary, but for our 
example, let us fix it to 100 by 100. The new origami figure is created with 
two differently colored surfaces: a light-gray front and a dark-gray back. We 
then introduce an arbitrary point, say E at the coordinate (30, 100), assum- 
ing A is at (0, 0). 

NewOrigami [Square [100 , MarkPoints — > {’A’,’B’,’C’,’D’}], 
FigureCaption ^ ’Step ’] ; 

PutPoint [’£’ , Point [30, 100]]; 

Our problem is to trisect the angle LEAB. The method consists of the fol- 
lowing seven steps (steps 3-9) of folds and unfolds. 

Steps 3 and 4: We make a fold to bring point A to point D, to obtain the 
perpendicular bisector of segment AD. This is the application of (02). The 
points F and G are automatically generated by the system. We unfold the 
origami and obtain the crease EG. 



FoldBring[A, D] ; 
Unfold [] ; 



136 



T. Ida et al. 




Step 1 



Step 2 



step 3 
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Fig. 1. Trisecting an angle by origami, steps 1-6. 



Steps 5 and 6: Likewise we obtain the crease IH. 

FoldBring[A, G] ; 

Unfold [] ; 

Steps 7 and 8: Step 7 is the crucial step of the construction. We will super- 
pose point G and the line that is the extension of the segment AE, and to 
superpose point A and the line that is the extension of the segment IH, si- 
multaneously. This is possible by (06) and is realized by the call of function 
FoldBrBr. There are three candidate fold lines to make these superpositions 
possible. The system responds with the query of “Specify the line number” 
together with the fold lines on the origami image. We reply with the call of 
FoldBrBr with the additional parameter 3, which tells the system that we 
choose the line number 3. This is the fold line that we are primarily inter- 
ested in. However, the other two fold lines are also solutions (which trisect 
different angles). 

FoldBrBr[G, AE, A, IH] ; 

FoldBrBr[G, AE, A, IH, 3]; 



Steps 9 and 10: We will duplicate the points A and I on the other face that is 
below the face that A and I are on, and unfold the origami. The duplicated 
points appear as L and J for A and I, respectively. These names are auto- 
matically generated. Finally, we see that the segments AJ and AL trisect 
the angle LEAB. 

DupPoint [{ ’ I ’ , ’A’}]; Unfold[]; 

ShowOrigamiSegment [{{{A, E}}, {{A, J}}, {{A, L}}}] ; 
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Specify the line number. 




Step 7 Step 8 



Fig. 2. Trisecting an angle by origami, steps 7-8. 

Although it is not obvious to see that equational solving is performed, our 
system solves a set of polynomial equations, up to the third degree. In the case 
of the folds applying (01) - (04), the system computes a solution using the well 
known mathematical formulas of elementary geometry rather than proving the 
existential formulas of Axioms 1 to 4. In the case of FoldBrBr, the system solves 
a cubic equation. This explains why we have (at most) 3 possible fold lines at 
step 7. 

5 Proof of the Correctness of the Trisection Construction 

We now prove the following theorem with our system: 

Theorem 1. The origami construction in section 4 trisects an angle. 

5.1 Proof Method 

In this simple example, the correctness of the trisection construction could be 
easily verified either by geometric reasoning or by a sequence of simplification 
steps of the algebraic equations representing geometric constrains. However, for 
proceeding towards a general (and completely automatic) proving method for 
origami theorems, we formulate the proving steps in a more general setting by 
showing that the above theorem would be proved if we could show that 

tan LB AL = t&Yi LLAJ = tan. LJ AE (1) 

in step 10 of Fig. 3. 

A general proof procedure is as follows: 

(i) We first translate the equality (1) into the algebraic form. This is done after 
we fix the coordinate system (in our case Cartesian system). 
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Step 9 Step 10 

Fig. 3. Trisecting an angle by origami, steps 9-10. 

(ii) We already observed that all the folding steps are formulated in Axioms 1 
- 6. These axioms are easily transcribed in terms of polynomial constraints, 
once the representations of lines and points are fixed. The functions sym, 
bisect, and dist, and relations || and T are easily defined. 

(iii) We use the Grobner bases method. We collect all the premise equalities 
and inequalities C = {ci,...,c„} obtained at step (ii), and the conclusion 
equalities and inequalities D = {c?i, ..., obtained at step (i). Let M 
be the boolean combinations of the equalities and inequalities of the form 
^ (ci A ... A c„) V (di A ... A dm), i.e. C ^ D. We prove VM by refutation. 
The decision algorithm, roughly, proceeds as follows: 

(a) Bring M into a conjunctive normal form and distribute V over the con- 
junctive parts. Treat each of the parts 

V P 

x,y,z,... 

separately. Note that P is a disjunction 
Pi = 0 V ... V Afe = 0 V iVi yf 0 V ... V yf 0 

of equalities and inequalities. 

(b) Then 

V (Pi =0V...VPfe = 0V7Vi yf 0V...VW 7^0) 

x,y,z,... 

is transformed into 

^ 3 (Pi yf 0 A ... A Pfc yf 0 A A^i = 0 A ... A iV/ = 0) 

x,y,z,... 

and further on to 

- 3 (PiCi - 1 = 0 A ... A Pfe^fc - 1 = 0 A iVi = 0 A ... AiVj = 0) 

with new variables ^i, ...,^fc (“Rabinovich trick”). 

(c) Now, our question becomes a question on the solvability of a system of 
polynomial equalities, which can be decided by computing the reduced 
Grobner basis of {Pi^i — 1, ..., Pfe^fc — 1, iVi, ..., Ni\. Namely, one of the 
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fundamental theorems of Grobner bases theory tells us that this Grobner 
basis will be {1} iff the system is unsolvable (i.e. has no common zeros), 
which was first proved in [1] . 

5.2 Automated Proof 

The proof steps would in general require laborious work of symbol manipulation. 
We are developing software for performing such transformations completely au- 
tomatically. The software is an extension of the geometrical theorem prover [11] 
based on Theorema [2], 

The following piece of programs will do all the necessary transformations and 
the proof outlined above. The program will be self-explanatory, as we use the 
names similar to the functions for folding used before. 

The proposition to be proved is the following: 

Proposit ion [’Trisect ion’ , any [A,B,C,D,E,F,G,H,I, J,K,L,M,N] , 
neworigamii [A,B,C,D] A pon [E, line [D,C] ] A 
foldBring [A, D , crease [G on line[A,D], F on line[B,C]]] A 
f oldBring [A, G , crease [I on line[A,G], H on line[B,F]]] A 
foldBrBr [L, A, line [H,l] ,N,G,line [A,E] , 

crease [K on line[C,D], M on line [A, B]]] A 
symmetricPoint [J , 1, line[M, K] ] ^ 

equalzero [tcuiof [B, A, A, L] - tcinof[L, A, A, J]] A 
equalzero [tanof [B, A, A, L] - tanoffJ, A, A, E] ] ] 

KnowledgeBase [’Cl ’ , any [A,B] , {{A, {0 , 0}} , {B, {100, 0}}}] 

To display graphically the geometrical constraints among the involved 
points and lines, we call function Simplify. 

Simplify [Proposition [ ’Trisection’] , 

by — ^ GraphicSimplif ier , using ^ KnowledgeBase [’ Cl ’] ] 

The following is the output of the prover. 

We have to prove: 

(Proposition(Trisection) ) 

V (neworigami[A, B, C, D] A pon[if, line[D, C]]A 

a,b,c,d,e,f,g,h,i,j,k,l,m,n 

foldBring [A, H, crease [G on line[A, D], F on line[S,G]]]A 
foldBring[A, G, crease[/ on line[.A, G], iA on line[i3, T"]]]A 
foldBi'Br[L, A, line[iA, /], N, G, line[A, E], 
crease[iC on line[G, D],M on line[A, B]]]A 
symmetricPoint[J, /, line[M, A]] ^ 

equalzero [tanof [A, A, A, L] — tanof[L, A, A, J]]A 
equalzero [tanof [A, A, A, L] — tanof[J, A, A, E]]) 

with no assumptions. 
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To prove the above statement we use the Grobner bases method. First we 
have to transform the problem into algebraic form. 

To transform the geometric problem into an algebraic form we choose an 
orthogonal coordinate system. 

Let us have the origin in point A, and points {B,M} and {G,D,I} on the 
two axes. 

Using this coordinate system we have the following points: 

{{A, 0, 0}, {B, Ml, 0}, {£>, 0, xi\, {E, X2, M2}, {ac, 0, 13}, {G, 0, 0:4}, 

{a/, 0, 0:5}, {/, 0, xel, {M, xr, 0}, {G, a;8, xg}, {F, xio, xn}, 

{H, xi2, xiaj, {L, xi 4 , X15}, {oL, xie,xn}, {K, xis, xig}, 

{ oat , X 20 ,X 2 i}, {N, X 22 ,X 2 s}, {<^J, X24, X25} , {-/, 2 ^ 26 , 2 : 27 }}, 

where ax is a variable generated internally to create point X. 

The algebraic form^ of the given construction is: 

V ((~1) + MiXo == 0 A —Ml H — xi == 0 A —uf + uiXs == OA 

Xo,...,X2T 

— xf + XiXg == 0 A —X1X2 H U2XS + XiXg + X2Xg == OA 

—xi + 2x3 == 0 A 2:12:3 H — 0:12:4 == OA 
— mij :9 + 2:92:10 + mi2:ii H — Xs2:ii == OA 

2:12:3 H — 2:12:11 == 0 A —2:4 + 22:5 == 0 A 2:42:5 H — X42:e == OA 
— Mi2:ii + xii2:i2 + M1X13 H — X10X13 == 0 A X4X5 H — X4X13 == OA 
— X6X12 + X6X14 H — X13X14 + X12X15 == 0 A — Xi4 + 2 xi 6 == OA 
— Xi5 + 2 xi 7 == 0 A — X14X16 H — X15X17 + X14X18 + X15X19 == OA 

— X1X8 + X1X18 H XgXi8 + X8X19 == OA 

X7X14 H — X14X16 H — X15X17 == OA 
X7X19 H — X19X20 H — X7X21 + X18X21 == OA 

— X4X19 H — X7X20 + X18X20 + X19X21 == 0 A 2x20 H — 2:22 == OA 
— X4 + 2 x 21 H — 2:23 == 0 A — M2X22 + X2X23 == OA 
— X7X19 + X19X24 + X7X25 H — X18X25 == OA 
xexig + X7X24 H — X18X24 H — X19X25 == OA 
2 x 24 H — X 26 == 0 A — xe + 2 x 25 H — 2:27 == 0 

M2X14X26 H — X2X15X26 H — X2X14X27 H — M2X15X27 == OA 
-2X14X15X26 + X?4X27 + -X?5X27 == 0) 



The further output of the proof is omitted here; the proof proceeds as outlined 
in step (iii). 

Namely, 

1. The above problem is decomposed into two independent problems. 

2. The individual problems are separately proved. 

3. For each problem, the reduced Grobner bases are computed. 

4. Since the result of the computation is {1} for each individual problem, the 
proposition is generally true. 



^ Notation xo, ...,X 27 represents the full sequence of consecutive variables from xq to 



X27. 
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Fig. 4. Graphical output of the call of Simplify. 



6 Conclusion 

We have shown the computer origami construction with the example of trisecting 
an angle. Combining the origami simulation software[10], the implementation of 
the Grobner basis algorithm [1] , the implementation of the decision algorithm in 
Theorema [2], and a new tool [11] in Theorema, which translates the descriptions 
of origami construction into the corresponding polynomial equalities, we are able 
to offer a coherent tool for computational origami that can 

— simulate arbitrary origami sequences both algebraically and graphically, 

— translate conjectures about properties of the results of origami sequences 
into statements in the form of universally quantified boolean combinations 
of polynomial equalities, 

— decide the truth of such conjectures and produce a proof or refutation of the 
conjecture fully automatically. 

We are now working to integrate those software tools into a coherent sys- 
tem, each component working independently but coordinating each other on the 
Internet as a symbolic computation grid. 

As a next step of our research we plan to study “Origami Solving Problem” , 
which asks for finding a sequence of origami steps that will lead to an origami 
object with a desired property. However, it is clear that this problem is analo- 
gous to the problem of finding geometric objects with desired properties using 
only a ruler and a compass. Note, however, that the two problems - origami 
construction and the ruler-and-compass construction - are not equivalent, as 
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we have seen. For further development of origami construction, in analogy to 
the ruler-and-compass construction problem, Galois theory suggests itself as the 
main approach to solving the origami construction problem. 
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Abstract. Incremental satisfiability problem (ISAT) is considered as a generali- 
sation of the Boolean satisfiability problem (SAT). It involves checking 
whether satisfiability is maintained when new clauses are added to an initial 
satisfiable set of clauses. Since stochastic local search algorithms have been 
proved highly efficient for SAT, it is valuable to investigate their application to 
solve ISAT. Extremal Optimization is a simple heuristic local search method 
inspired by the dynamics of living systems with evolving complexity and their 
tendency to self-organize to reach optimal adaptation. It has only one free pa- 
rameter and had proved competitive with the more elaborate stochastic local 
search methods on many hard optimization problems such as MAXSAT prob- 
lem. In this paper, we propose a novel Extremal Optimization based method for 
solving ISAT. We provide experimental results on ISAT instances and compare 
them against the results of conventional SAT algorithm. The promising results 
obtained indicate the suitability of this method for ISAT. 

Keywords: Incremental Satisfiability, Stochastic Local Search, Extremal Op- 
timization, Self-Organized Criticality 



1 Introduction 

The Boolean satisfiability problem (SAT) is one of the most important discrete con- 
straint satisfaction problems. It is defined as follows. Let Bool denotes the Boolean 
domain {0,l} and X = be a set of Boolean variables. The set of literals 

over A is L = {x,T/xg a}. A clause C on A is a disjunction of literals. A SAT 
instance is a conjunction of clauses. An assignment of n Boolean variables is a sub- 
stitution of these variables by a vector v g Bool" . A literal jc, or T, is said to be satis- 
fiable by an assignment if its variable is mapped to 1 or 0, respectively. A clause C is 
said to be satisfiable by an assignment v if at least one of its literals is satisfiable by v, 
in such case the value of the clause equals 1 (C(v)=l), otherwise it is said to be 
unsatisfiable (C(v)= 0). A model for a SAT is an assignment where all clauses are 
satisfiable. The SAT problem asks to find a model for a given set of clauses. 

SAT is a paradigmatic AP-complete problem in logic and computing theory [9]. It 
provides a natural mathematical formalism to encode information about many prob- 
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lems in automated reasoning, planning, scheduling and several areas of engineering 
and design. In recent years, much effort has been spent to increase the efficiency of 
both complete and incomplete algorithms for SAT. Therefore, SAT-based methods 
have become an important complement to traditional specialized ones. 

Real-world problems must be solved continually because real environment is 
always changing by adding or removing new constraints such as the evolution of the 
set of tasks to be performed in scheduling or planning applications. Problem solving 
is a never ending process [21]. Thus, one may have to deal with a series of problems 
that change over time where the current solution of an instance of a problem has to be 
adapted to handle the next one. In the CSP community, this concept is known as the 
dynamic CSP and was introduced by Dechter and Dechter [11] to maintain solutions 
in dynamic constraint networks. The incremental satisfiability problem (ISAT) is a 
generalisation of SAT which allows changes of a problem over time and can be 
considered as a prototypical dynamic CSP [13], [15]. 

ISAT was introduced by Hooker [14] as the problem of checking whether 
satisfiability is preserved when adding one clause at a time to an initial satisfiable set 
of clauses. It was solved using an implementation of the Davis-Putnam-Loveland 
procedure (DPL) [10], [17]. When adding a new clause, the procedure maintains 
building the search tree generated previously for the initial satisfiable set of clauses. 
Incremental DPL performs substantially faster than DPL for a large set of SAT prob- 
lems [14]. 

A more general definition has been suggested by Kim et al. [16] to address 
practical situations that arise in various domains such as planning and electronic 
design automation (EDA). Given a set O of m Boolean functions in Conjunctive 
Normal Form (p^ix^ over a set of variables A, O = ■^,(a)|^;(a)= ^p(z)a 
where each function has a common prefix function (ppix^ and a different suffix 
function The problem is to determine the satisfiability of each function 

(piix\ Kim et al. [16] applied ISAT to prove the untestability of non-robust delay 
fault in logic circuits. They formulated the encoding SAT instances as a sequence of 
closely related SAT instances sharing a common sub-sequence. They used a DPL-like 
approach to solve ISAT and showed that the results achieved using this methodology 
outperform those obtained when solving each SAT instance independently. 

Hoos and O’Neill [15] introduced another formulation of ISAT as the dynamic 
SAT problem (DynSAT). It consists of adding or removing dynamically clauses from 
a given SAT instance. The problem is to determine for a given DynSAT instance 
whether it is satisfiable for each time. DynSAT can be solved simply as a set of inde- 
pendent SAT, but solving them together and considering that they share a common 
subset of clauses, may result in significant decrease in total run time. They presented 
an initial investigation of mainly two approaches for solving DynSAT. They used 
existing local search algorithms for SAT to solve the current SAT instance, while 
applying either random restart or trajectory continuation before solving the next SAT 
instance in the DynSAT sequence. Their empirical analysis on variants of WalkSAT 
algorithm [22] indicated that trajectory continuation approach is more efficient than 
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random restart for hard unstructured problems derived from the SATLIB benchmark 
suite [24]. 

Gutierrez and Mali [13] presented a basic local search algorithm for ISAT 
integrating the ability of recycling model of the satisfiable set of clauses when adding 
new clauses. They presented experimental results on both random and structured 
ISAT instances generated using SAT instances from the SATLIB benchmark suite 
[24]. However, it is not clear how their algorithm could be compared to state-of-the- 
art local search-based algorithms for SAT. 

Recently, a local search heuristic method called Extremal Optimization (EO) was 
proposed for solving hard optimization problems such as the graph partitioning [5], 
[7], the graph coloring, the spin glass [6] and the maximum satisfiability [19], [20]. 
EO is characterized by large fluctuations of the search process and extremal selection 
against worst variables in a sub-optimal solution. This make it able to explore effi- 
ciently the search space without loosing well-adapted parts of a solution. ISAT can be 
perceived as the problem of searching an equilibrium to a dynamic system perturbed 
by adding new clauses. By Extremal Optimization process the major parts of the 
system can be rearranged so that, a new equilibrium state of optimal adaptation can 
be reached. Therefore, it is worthwhile to use this heuristic to design an algorithm for 
ISAT. 

The remainder of the paper is organized as follows. The next Section presents 
Extremal Optimization heuristic. Section 3 describes an implementation of EO to 
solve the SAT problem. In Section 4, we present a new EO-based algorithm for 
solving ISAT. In Section 5, we report on computational results on ISAT instances 
generated from SAT benchmark problems. In Section 6, we conclude and discuss 
directions for future work. 



2 Extremal Optimization Heuristic 

In 1987 Bak, Tang and Wiesenfeld [2] introduced the concept of Self-Organized 
Criticality (SOC) to describe the scale free behaviour exhibited by natural systems 
such as earthquakes, water flows in rivers, mass extinction and evolution to name a 
few. These systems are driven by their own dynamics to a SOC state characterized by 
power-law distribution of event sizes [1]. SOC is produced by self-organization in a 
long transitory period at the border of stability and chaos [1]. 

The Bak and Sneppen (BS) model of evolution [3] is the prototype of a wide class 
of SOC models related to various areas such as real evolution of bacteria populations 
[8] and macro-economical processes [23]. In BS model, species have an associated 
fitness value between 0 and 1 representing a time scale at which the species will mu- 
tate to a different species or become extinct. The species with higher fitness has more 
chance of surviving. All species are placed on the vertices of a graph and at each 
iteration, a selection process against the species with the poorest degree of adaptation 
is applied so that the smallest fitness value is replaced by a new random one which 
also impacts the fitness values of its neighbours. A state of optimal adaptation (SOC) 
above a certain threshold is attained after a sufficient number of steps. In this state 
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almost all species have a punctuated equilibrium [3], [4] that makes them intimately 
connected. Any perturbation of this equilibrium involves large fluctuations, called 
critical avalanches [3], in the configuration of the fitness values, potentially making 
any configuration accessible when the system slides back to a self-organization state. 
The BS model demonstrated that the duration t of that avalanches follow a power-law 
distribution P(t)°^ , where the avalanche exponential T is a small real number 

close to 1. 

Extremal Optimization (EO) is a heuristic search method introduced by Boettcher 
and Percus [5] for solving combinatorial and physical optimization problems. It was 
motivated by the Bak-Sneppen model [3] which was converted into an incomplete 
optimization algorithm. EO heuristic search can be outlined as follows. Let consider a 
system described by a set of N species x,- with an associated fitness value also 
called individual cost [5]. The cost function C(s) of a configuration S consists of the 
individual cost contributions EO starts from an initial random state of the system 
and at each step performs search on a single configuration S. The variables are ranked 
from the worst to the best according to their fitness values and the variable with the 
smallest fitness value is randomly updated. The configuration with minimum cost is 
then maintained. The rank ordering allows EO to preserve well-adapted pieces of a 
solution, while updating a weak variable gives the system enough flexibility to ex- 
plore various space configurations. 

An improved variant of EO [6], [7], called t-EO, consists to rank all variables 
from rank n=l for the worst fitness to rank n=N for the best fitness A. According to 
the BS model, a power-law distribution over the rank order is considered. For a given 
value of T, 



P(n)°c n ^ , (l < n < A) (1) 

At each update, select a rank k according to P{k) and change the state of the vari- 
able The variable with rank 1 (worst variable) will be chosen most frequently, 
while the higher ones will sometimes be updated. In this way, a bias against worst 
variables is maintained and no rank gets completely excluded from the selection 
process. However, the search performance depends on the value of the parameter T. 
For T =0, the algorithm is simply a random walk through the search space. While for 
too large values of T the process approaches a deterministic local search where only a 
small number of variables with particularly bad fitness would be chosen at each itera- 
tion. An optimal value of T will allow even the variable with the highest rank to be 
selected during a given run time. Boettcher and Percus [7] have established a relation 
between T, the run time t^^ and the number N of the variables of the system, to esti- 
mate the optimal value of T. Let t=AN where A is a constant, then 

T ~ 1+ (a^oo, i«a«a) 



( 2 ) 
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At this optimal value, the best fitness variables are not completely excluded from 
the selection process and hence, more space configurations can be reached so that 
greatest performance can be obtained. 



3 r-EOforSAT 



Given a SAT problem instance of n Boolean variables X = and m 

clauses CF = (C; . A variable fitness is defined as the negation of the total 

number of clauses violated by x - : 



/I; = -#unsat(x ^ ) = 1 



C j and C j (v)=0 



( 3 ) 



The best fitness is /I, =0 and the worst one is /I, = -m . The cost function C{s) 
consists of the individual cost contributions Ji^ for each variable x,. In order to maxi- 
mize the total number of satisfied clauses, C{s) has to be minimized. Thus, 






( 4 ) 



Algorithm t-EO-SAT 

1 . Randomly generate a solution S . Set Sbest = S. 

2. If S satisfies Clauses then return (S). 

3. Evaluate for each x, in Variables according to Equation 3. 

4. Rank x- according to from the worst to the best. 

5. Select a rank j according to Equation 1 . 

6. Set 5” = 5 in which the truth value of Xj is flipped 

7. If C(S')< then Set Sbest = S’. 

8. Sets = S’. 

9. If the number of steps does not exceed MaxSteps return to Step 2. 

10. Return (No model can be found). 

End t-EO-SAT 



Fig. 1. Generic t-EO algorithm for SAT 

Eigure 1 provides the basic outlines of the algorithm t-EO for SAT. Let Variables, 
Clauses, MaxSteps and T be respectively the set of variables, the set of clauses, the 
given bound for iteration steps and the free parameter of EO. 

(i) Line 1. The search begins at a random truth assignment S and the current best 
assignment, Sbest, is set to S. 

(ii) Line 2. S is returned as a model if it satisfies Clauses. 

(iii) Lines 3-4. The variable individual fitnesses are evaluated and sorted using a 
Shell sort. 
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(iv) Lines 5-6. A variable is selected according to the power-law distribution with the 
parameter T (Equation 1). Its value is then flipped. 

(v) Lines 7-8. Sbest is related to the current assignment with the minimum cost 
(Equation 4). The current assignment is then updated. 

(vi) Line 9. The optimization loop is executed for MaxSteps iterations. 

(vii) Line 10. There is no guaranty that the algorithm finds a model to the problem if 
one exists. t-EO-SAT is incomplete. 



4 T-EOforlSAT 

Let V = {xj, jC 2 ,...,x„} be a set of Boolean variables and (Pp a set of clauses over a 
subset of variables A c V . cpp is found to be satisfiable and has a model S. Deter- 
mine the satisfiability of cpp u (Pg for a given set of clauses (p^ over a subset of vari- 
ables a' c y . We use the same classification of clauses of (pp <J(Ps as suggested in 
[13] in order to perform minimum local changes on the model of cpp . Let A^ be the 
set of variables that appear in the clauses of cp . Let (Pp = (Pp^ u (Pp^ and 
(Ps =(Ps\^ 9 s 2 where: 



^Pl ~ ^ 




C^e(pp\Xp.^ nA^^ ^(j)] 


(5) 




^P1 ~ ~ ^P\ 




(6) 




e (Ps\^c, ^ ^ (^}and (p'g, = { 


e (Ps\^C, ^ ^ A 


(7) 




II 

1 




(8) 



Let us make this point by presenting an example. Let I = (PpKJ (p^ be an ISAT in- 
stance, where 

(Pp = {xj V Xj , ^2 V Xj , Xj V X4 V Xjo , Xj V Xg , X, V Xg } 

(Pg = {xj V Xj,Xj V Xg,XiQ V X^^,X ^2 V Xj3 V Xi^} 

Erom Equation 5, we have 

(p'pi = {x2 V X3 , X3 V X4 V Xjo } 

= {^1 ^ X 2 ,X 2 V Xj,X3 V X4 V Xjq} 

and so from Equation 6, we have 

= {-^6 V Xg,X7 V Xg} 

In the same manner, from Equation 7 we have 
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= fcv^5,XioVXii} 

^Sl ~ Xg,XiQ V Xji} 

and finally, from Equation 8 we have 
^S2 ~ i^n ^ -^13 -*' 141 ' 

The clauses of ^p2 are discarded from the set of clauses of I since their model is not 
altered by any assignment to (Pp^ . Although <Pg2 is solved as an independent SAT 
instance. Subsequently, the objective turns into recycling the model of (Pp to 
U rather than cppKJcpg . 

The general structure of the algorithm t-EO for ISAT is described in Figure 2 . 

• Clauses of q>p2 do not share any variable with those of and (pp ^ , so they are 
removed from (PpKJcp^ . 

• Clauses of cp^2 have no common variable with those of cpp and cp ^^ , so cp^2 is 
treated as an independent SAT problem. The algorithm t-EO-SAT is then applied 
with Variables = and Clauses = (p^2 ■ The satisfiability of (Pg2 is a necessary 

but no sufficient condition for the satisfiability of cppKJcp^ . 

• Clauses of (Pp^ U have common variables in X^^^ U X^^^ . A particular SAT 
problem can then be addressed as follows. Given a set of clauses (Pp^ u (Pg^ on 
variables X^^^ U X^^^ where cpp^ is already satisfiable and has a model S. The 
problem is to determine the satisfiability of cpp^ u (Pg^ by reusing as much as pos- 
sible the model of cpp^ . In a first step, a variant of t-EO-SAT is used for solving 
this SAT instance. The algorithm starts with the assignment S to the variables 
X,. and random Boolean values to the variables X,. . If no model can be found 

(Pp\ (Ps\ 

then a second step is performed. The algorithm starts with a completely randomly 
generated assignment. In this case, the variable fitness is defined as: 

/I; = -#unsat(x^ )x (l+#changes{xi , cpp ^ )) ( 9 ) 

where changes{x^,(Pp^) is the number of changes in the model of (Pp^ obtained by 
flipping the truth value of x,. Therefore, the best fitness is associated to the variable 
that both violates the least number of clauses and involves the least number of 
changes in the model S. 

• Adding a single clause is considered as a particular case. Indeed, a clause is satisfi- 
able if at least one of its literals is satisfiable. Moreover, a clause sharing only 
some variables with cpp can be satisfied by simply assigning 1 or 0 to one positive 
or negative literal whose variable is not in X^^ . This can achieve significant gains 
in CPU time compared with that needed by t-EO-SAT local search process. 
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Algorithm t-EO-ISAT 

If S satisfies then Return q>p u (Pg is satisfiable. 

1 . (pg={c] 

a- 

A model for C is found by assigning the truth value 1 or 0 to one 
positive or negative literal, respectively. Return that q>p u (Pg is satisfiable. 
b- n Ac ^ (^)and (a^ <2 A^^ ) 

Assign the truth value 1 or 0 to one positive or negative literal of 
Ac - A^^ , respectively. Return that cpp u (Pg is satisfiable. 

c. 

Determine cpp-^ . 

Call t-EO-SAT with Variables = and Clauses = (Pp^ U C . The initial 
solution of the algorithm is the assignment S to the variables A^^^ and the 
variable fitness /I, is given by Equation 9. 

If (Pp^ U C is satisfiable then Return that cpp u (Pg is satisfiable Else Return 
that no model can be found. 

2 . (Pg=^^,C^,...,Cp\ 

a. A^^nA^^=^ 

Call t-EO-SAT with Variables = and Clauses = (Pg . 

If (Pg is satisfiable then Return that rpp u (Pg is satisfiable Else Return that no 
model can be found. 

b. A,„ nA,„ 

<Pp (Ps ^ 

Determine (Pp^,(Pg^,cpg^. 

(i) Call t-EO-SAT with Variables = X^^^ and Clauses = (Pg^ ■ 

If no model can be found for q>g^ then Return that no model can be 
found for cppKjrpg . 

(ii) Call t-EO-SAT with Variables = A^^^ u A^^^ and Clauses = (Pp^ U (Pg^ . 

1. The algorithm starts with the assignment S to the variables 
Ap^^ and random Boolean values to A^^^ . If u (Pg^ is satisfi- 
able then Return that (Pp u (Pg is satisfiable. 

2. The algorithm starts with completely randomly generated as- 
signment where the variable fitness is given by Eqn. 9. If 
^Pi U (Pg^ is satisfiable then Return that cpp u (Pg is satisfiable 
Else Return that no model can be found for cppKJcpg . 

End t-EO-ISAT 

Fig. 2. Generic r-EO algorithm for IS AT 
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5 Experimental Evaluation 

In this section, we present an empirical evaluation of t-EO-ISAT on ISAT instances 
obtained from both random and structured SAT instances. In order to compare the 
ISAT formulation considered in this work and that introduced by Hooker [14], two 
different types of ISAT instances were generated from each SAT instance. The first 
one denoted ISATI, was obtained as follows. Let ISATl be an empty set of clauses. 
At each time one randomly chosen clause from the SAT instance was added to the 
ISATl instance and the resulting problem was solved. The series of problems was 
solved incrementally until all clauses had been added or no model for the current 
problem was found. The second ISAT instance, denoted ISAT2, was generated by 
randomly splitting the related SAT instance into two subsets cpp and of nip and 
= m- nip clauses, respectively. Finding a model for cpp is a necessary condition 
before solving the ISAT2 instance. 

The SAT benchmarks were taken from the DIMACS [25] and SATLIB [24] ar- 
chives. Six groups of satisfiable SAT instances were considered : ais* (4 instances of 
all interval series problem), iiS* (14 instances of Boolean circuit synthesis problem), 
par8-*-c (5 instances of learning the parity function problem), flatlOO-239 (100 in- 
stances of SAT-encoded graph colouring problem), ufl25-538 (100 random 3-SAT 
instances) and g* (4 large instances of hard graph coloring problem). To have a refer- 
ence point, we tested the performance of WalkSAT algorithm with the heuristic R- 
Novelty [18], which is one of the best-performing variant of the WalkSAT algorithm 
for SAT problem. The program code of WalkSAT was taken from the SATLIB ar- 
chive [24]. The algorithm t-EO-ISAT was coded in C and all experiments were per- 
formed on a 2.9 GHz Pentium 4 with 2 GB RAM running Linux. We ran t-EO-ISAT 
on ISATl and ISAT2 instances with the parameter T set to 1.4 according to approxi- 
mately optimal parameter setting [20]. ISAT2 instances were generated setting nip to 
0.5m. R-Novelty (WalkSAT with -rnovelty parameter) was run with a noise parame- 
ter p set to 0.6 as suggested in [18]. The programs were run 20 times on each instance 
with a maximum of 100000 flips allowed to solve each one except for the large prob- 
lem instances g*, where a time limit of 300 seconds was allowed at each run. 

The results achieved by t-EO-ISAT on ISATl and ISAT2 instances are presented 
in Tables 1 and 2, respectively. Table 3 presents the results obtained with R-Novelty 
on related SAT instances, n and m denote the number of variables and clauses, re- 
spectively. For each instance, we give the success rate over 20 runs, the mean CPU 
time and the mean number of flips to find a solution and their respective standard 
deviations. Table 4 summarizes our results in terms of average success rate, average 
CPU time and average number of flips to solve each problem class. t-EO-ISATI and 
T-EO-ISAT2 refer to the algorithm t-EO-ISAT on ISATl and ISAT2 instances, in 
that order. Mean CPU times related toT-EO-ISAT2 include mean CPU times needed 
to find a model for q>p . 

In terms of average success rate, average CPU time and average number of flips at 
finding a solution T-EO-ISAT2 outperformed t-EO-ISATI and R-Novelty on the 
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problems ais*, par8-*-c and ufl25-538. R-Novelty was the best-performing algorithm 
on the problems flatlOO-239 and g*, however the results of T-EO-ISAT2 on these 
problem instances were also quite competitive. Intuitively, this could be explained by 
the high connectivity inherent to the structure of these instances that involves much 
more difficulties in recycling an old model when new clauses are added. On the prob- 
lems ii8*, the best average success rate was achieved by T-EO-ISAT2, but with a 
significantly higher cost than R-Novelty. 



Table 1. Results of r-EO-ISAT on ISATlinstances 



Problem id 


n 


m 


Success 
rate/ 20 


CPU time 
Mean Std 


# Flips 
Mean Std 


ais6 


61 


581 


20 


0.4400 


0.0320 


8800.4 


1245.2 


ais8 


113 


1520 


18 


6.8452 


1.6505 


39292.5 


6564.0 


ais 10 


181 


3151 


7 


6.6520 


2.1420 


8115.0 


1824.9 


ais 12 


265 


5666 


2 


9.3290 


0.0562 


42638.0 


2562.8 


iiSal 


66 


186 


20 


0.0023 


0.0005 


95.0 


0.0 


ii8a2 


180 


800 


20 


0.0179 


0.0012 


155.8 


0.7 


ii8a3 


264 


1552 


20 


0.0820 


0.0015 


328.7 


65.4 


ii8a4 


396 


2798 


20 


1.2400 


0.0054 


1126.2 


32.1 


ii8bl 


336 


2068 


20 


0.0142 


0.0006 


328.6 


15.1 


ii8b2 


576 


4088 


20 


4.6325 


0.3235 


5340.2 


525.6 


ii8b3 


816 


6108 


20 


7.8312 


0.5350 


45653.4 


3540.6 


ii8b4 


1068 


8214 


5 


16.1210 


2.6453 


4800.3 


2945.7 


ii8cl 


510 


3065 


20 


0.9200 


0.0030 


624.3 


2.4 


ii8c2 


950 


6689 


20 


9.5780 


1.4210 


5800.6 


234.8 


ii8dl 


530 


3207 


20 


1.3650 


0.0450 


712.5 


26.5 


ii8d2 


930 


6547 


20 


8.4500 


1.4620 


1912.5 


185.1 


ii8el 


520 


3136 


20 


2.4520 


0.3700 


1415.2 


164.0 


ii8e2 


870 


6121 


20 


6.5642 


1.1260 


1846.5 


138.8 


par8-l-c 


64 


254 


20 


0.1762 


0.0560 


3623.5 


325.8 


par8-2-c 


68 


270 


20 


0.3320 


0.0065 


8264.0 


237.5 


par8-3-c 


75 


298 


20 


1.7328 


0.1045 


25605.2 


1968.4 


par8-4-c 


67 


266 


20 


0.4210 


0.1540 


9725.4 


2154.7 


par8-5-c 


75 


298 


8 


1.7620 


0.2030 


37640.4 


7682.0 


flatlOO-239 


300 


1117 


3.60 


8.2540 


0.1054 


54762.0 


1542.5 


(100 inst.) 
ufl 25-538 


125 


538 


19.25 


0.6875 


0.3260 


9665.3 


792.0 


(100 inst.) 
gl25-17 


2125 


66272 


14 


142.9450 


12.7620 


2051374.0 


158549.1 


gl25-18 


2250 


70163 


20 


1.4585 


0.9500 


24056.9 


18669.4 


g250-15 


3750 


233965 


18 


0.6326 


0.9455 


11615.2 


15857.6 


g250-20 


7250 


454622 


16 


186.5020 


20.5490 


1959751.8 


232450.8 



T-EO-ISATI performed worse than the other two algorithms on all the instances 
taking significantly longer time. The intuitive explanation for that low performance is 
that an IS ATI instance is a series of problems with incremental ratios of clauses to 
variables, where the first ones are relatively easy to satisfy (few clauses and many 
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variables). If the series contains problems at the phase transition (values of ratio near 
the threshold), it is generally difficult to find a satisfying assignment to such prob- 
lems and hence, more frequent local search repairs are performed (step l.c. of the 
algorithm). It seems that this approach may not be suitable for stochastic local search 
algorithms, whereas the incremental systematic algorithm proposed by Hooker [14] 
was substantially faster than DPL [10], [17]. However, more complete tests are re- 
quired to further investigate this hypothesis. 



Table 2. Results of r-EO-ISAT on ISAT2 instances 



Problem id 


n 


m 


Success 
rate/ 20 


CPU time 
Mean Std 


# blips 
Mean Std 


ais6 


61 


581 


20 


0.0540 


0.0115 


1080.0 


320.1 


ais8 


113 


1520 


20 


2.2310 


1.1543 


15403.5 


1356.8 


aislO 


181 


3151 


8 


3.0270 


2.5230 


6045.9 


1582.2 


aisl2 


265 


5666 


8 


4.1985 


1.7620 


18458.1 


2351.0 


iiSal 


66 


186 


20 


0.0008 


0.0005 


38.0 


0.0 


ii8a2 


180 


800 


20 


0.0045 


0.0012 


67.2 


0.1 


ii8a3 


264 


1552 


20 


0.0455 


0.0125 


205.4 


54.2 


ii8a4 


396 


2798 


20 


0.2480 


0.0165 


223.2 


22.5 


ii8bl 


336 


2068 


20 


0.0457 


0.0054 


104.7 


24.1 


ii8b2 


576 


4088 


20 


2.6800 


0.2754 


3216.4 


412.5 


ii8b3 


816 


6108 


19 


3.2670 


2.2850 


20255.4 


654.1 


ii8b4 


1068 


8214 


20 


4.3428 


2.2490 


1208.5 


2543.9 


ii8cl 


510 


3065 


20 


0.0542 


0.0012 


137.9 


65.4 


ii8c2 


950 


6689 


20 


3.6502 


1.2760 


2702.2 


25.3 


ii8dl 


530 


3207 


20 


1.3720 


0.0086 


823.9 


85.2 


ii8d2 


930 


6547 


20 


4.2365 


0.0450 


959.4 


21.3 


ii8el 


520 


3136 


20 


0.0350 


0.0014 


123.1 


8.4 


ii8e2 


870 


6121 


20 


1.0395 


0.0745 


310.5 


12.6 


par8-l-c 


64 


254 


20 


0.0825 


0.0150 


2321.6 


54.8 


par8-2-c 


68 


270 


20 


0.0945 


0.0172 


2551.6 


545.6 


par8-3-c 


75 


298 


20 


0.0250 


0.0120 


550.6 


185.4 


par8-4-c 


67 


266 


20 


0.1278 


0.0850 


3195.0 


1255.6 


par8-5-c 


75 


298 


15 


0.9540 


0.6535 


21465.0 


11520.1 


flatlOO-239 


300 


1117 


5.30 


5.2050 


0.1442 


42435.7 


1280.8 


(100 inst.) 
ufl 25-538 


125 


538 


19.55 


0.4382 


0.0321 


4359.6 


458.0 


(100 inst.) 
gl25-17 


2125 


66276 


18 


64.5205 


8.3510 


626452.0 


95734.0 


gl25-18 


2250 


70163 


20 


1.2651 


0.2090 


11245.8 


1562.6 


g250-15 


3750 


233965 


20 


0.9510 


0.0650 


9756.1 


455.3 


g250-20 


7250 


454622 


19 


134.8600 


12.2945 


1295286.5 


981005.0 



As an initial result, T-EO-ISAT2 solved all the problems in less computation time 
and provided better solution quality than t-EO-ISATI, but it did not dominate R- 
Novelty on all the problems. However, it should be noted that the mean times re- 
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Table 3. Results of R-Novelty on SAT benchmark instances 



Problem id 


n 


m 


Success 
rate/ 20 


CPU time 
Mean Std 


# Flips 
Mean Std 


ais6 


61 


581 


20 


0.0984 


0.0062 


2185.8 


84.4 


ais8 


113 


1520 


19 


3.3941 


0.8450 


22065.4 


5490.2 


aislO 


181 


3151 


6 


4.9402 


0.6376 


8590.0 


1262.5 


aisl2 


265 


5666 


6 


5.6430 


1.2640 


20652.8 


1850.1 


iiSal 


66 


186 


20 


0.0015 


0.0001 


36.0 


0.0 


ii8a2 


180 


800 


20 


0.0097 


0.0001 


90.4 


0.0 


ii8a3 


264 


1552 


20 


0.0260 


0.0075 


270.0 


10.2 


ii8a4 


396 


2798 


20 


0.4724 


0.0710 


400.5 


85.1 


ii8bl 


336 


2068 


20 


0.0522 


0.0150 


115.9 


52.5 


ii8b2 


576 


4088 


20 


0.9451 


0.0548 


815.4 


152.0 


ii8b3 


816 


6108 


18 


1.8500 


0.9640 


2366.5 


1175.3 


ii8b4 


1068 


8214 


12 


2.1050 


0.7571 


2725.0 


901.5 


ii8cl 


510 


3065 


20 


0.2378 


0.0001 


174.0 


0.0 


ii8c2 


950 


6689 


20 


1.2482 


0.8440 


229.1 


1.0 


ii8dl 


530 


3207 


20 


0.6200 


0.0118 


210.2 


5.0 


ii8d2 


930 


6547 


20 


1.8550 


0.0330 


564.5 


78.5 


ii8el 


520 


3136 


20 


0.6850 


0.0235 


355.0 


12.0 


ii8e2 


870 


6121 


20 


0.9850 


0.1482 


510.2 


15.0 


par8-l-c 


64 


254 


20 


0.0760 


0.0050 


2540.5 


536.4 


par8-2-c 


68 


270 


20 


0.1405 


0.0095 


2115.0 


450.2 


par8-3-c 


75 


298 


20 


0.9550 


0.2050 


16630.0 


1285.0 


par8-4-c 


67 


266 


20 


1.5304 


0.1225 


22440.8 


672.0 


par8-5-c 


75 


298 


10 


0.7710 


0.0860 


6856.0 


1448.4 


flatlOO-239 


300 


1117 


7.10 


4.2600 


0.9520 


37574.0 


3715.0 


(100 inst.) 
ufl25-538 


125 


538 


19.40 


0.5500 


0.1060 


4850.20 


722.0 


(100 inst.) 
gl25-17 


2125 


66272 


20 


71.4670 


5.6390 


931675.2 


98821.0 


gl25-18 


2250 


70163 


20 


1.6651 


0.2405 


12608.4 


5732.1 


g250-15 


3750 


233965 


20 


0.7520 


0.9460 


4632.0 


28730.2 


g250-20 


7250 


454622 


20 


134.1025 


7.6200 


453581.0 


110836.5 



ported include times needed to find a model for (Pp . Hence, the results presented 
suggest that ISAT2 is a promising approach for incremental solving. 



6 Conclusion 

In this paper, we have presented a stochastic local search algorithm for solving the 
incremental satisfiability problem (ISAT). The satisfiability of the dynamic problem 
is maintained by recycling the current model of a sub-problem when new clauses are 
added. Local search repairs are performed by an Extremal Optimization algorithm 
based on the theory of self-organized criticality of many natural systems. We estab- 
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lished experimentally its effectiveness by testing two types of ISAT instances derived 
from SAT benchmark problems. Indeed, one or more clauses can be added to the 
original problem either incrementally one at a time (ISATl) or together at the same 
time (ISAT2). The experimental results suggest that the algorithm is more efficient on 
ISAT2 instances and at least as competitive as WalkSAT with R-Novelty heuristic 
for SAT. However, this work should be understood as an initial investigation and 
further experiments are necessary to both study the behaviour of the algorithm on 
large benchmark instances, and compare its performance with those of other methods. 
Additionally, we plan to investigate the effect of varying the ratio of the clauses being 
added as well as the free parameter of x-EO on the performance of the algorithm. 
Finally, this work can be used as an algorithmic framework for incremental solving 
with other SAT solvers. 



Table 4. Summary of average results for each problem group 



Problem class 


ais* 


ii8* par8-*-c flatlOO-239 

Average Success rate / 20 


ufl25-538 


g* 


r-EO-ISATl 


11.75 


18.92 


17.60 


3.60 


19.25 


17.00 


T-EO-ISAT2 


14.00 


19.92 


19.00 


5.30 


19.55 


19.25 


R-Novelty 


12.75 


19.28 18 7.10 

Average CPU time secs 


19.40 


20.00 


r-EO-ISATl 


5.8165 


4.2335 


0.8848 


8.2540 


0.6875 


82.8845 


T-EO-ISAT2 


2.3776 


1.5015 


0.2567 


5.2050 


0.4382 


50.3991 


R-Novelty 


3.5189 


0.7923 


0.6945 4.2600 

Average flips 


0.5500 


51.9900 


r-EO-ISATl 


24711.47 


5009.98 


16971.69 


54762.00 


9665.30 


1011699.40 


T-EO-ISAT2 


10246.87 


2169.69 


6016.76 


42435.70 


4359.60 


485685.10 


R-Novelty 


13373.5 


633.04 


10116.45 


37574.00 


4850.20 


350624.15 
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Abstract. Term equations involving individual and sequence variables, 
and individual and sequence function symbols are studied. Function sym- 
bols can have either fixed or flexible arity. A new unification procedure for 
solving such equations is presented. Decidability of unification is proved. 
Completeness and almost minimality of the procedure is shown. 



1 Introduction 

We study term equations with sequence variables and sequence function sym- 
bols. A sequence variable can be instantiated by any finite sequence of terms, 
including the empty sequence. A sequence function abbreviates a finite sequence 
of functions all having the same argument lists^ . An instance of such a function is 
lntegerDivision(x,y) that abbreviates the sequence Quotient(x, y), Remainder(x, y). 

Bringing sequence functions in the language naturally allows Skolemization 
over sequence variables: Let x, y be individual variables, T be a sequence variable, 
and p be a flexible arity predicate symbol. Then \/xyy3x.p{x, y,x) Skolemizes to 
VxVy.p(a:, y, f{x, y)), where / is a binary Skolem sequence function symbol. An- 
other example, \fy3x.p{y,x), where y is a sequence variable, after Skolemization 
introduces a flexible arity sequence function symbol g: \fy.p{y,g{y)). 

Equation solving with sequence variables plays an important role in various 
applications in automated reasoning, artificial intelligence, and programming. 
At the end of the paper we briefly review some of the works related to this topic. 

We contribute to this area by introducing a new unification procedure for 
solving equations in the free theory with individual and sequence variables, and 
individual and sequence function symbols. Function symbols can have either 
fixed or flexible arity. We prove that solvability of an equation is decidable in 
such a theory, and provide a unification procedure that enumerates an almost 
minimal complete set of solutions. The procedure terminates if the set is finite. 
This work is an extension and refinement of our previous results [10]. 

We implemented the procedure (without the decision algorithm) in Mathe- 
MATICA [18] on the base of a rule-based programming system pLOG^ [13]. 

* Supported by the Austrian Science Foundation (FWF) under Project SFB F1302. 

^ Semantically, sequence functions can be interpreted as multi-valued functions. 
Available from http: //www. ricam. oeaw. ac . at /people /page /mar in/RhoLog/. 

B. Buchberger and J.A. Campbell (Eds.): AISC 2004, LNAI 3249, pp. 157—170, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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The paper is organized as follows: In Section 2 basic notions are introduced. 
In Section 3 decidability is proved. In Section 4 relation with order-sorted higher- 
order if-unification is discussed. In Section 5 the unification procedure is defined 
and its properties are studied. In Section 6 some of the related work is reviewed. 
A longer version of this paper with full proofs is available on the web [12]. 

2 Preliminaries 

We assume that the reader is familiar with the standard notions of unification 
theory [3]. We consider an alphabet consisting of the following pairwise disjoint 
sets of symbols: individual variables Vind> sequence variables Vseq, fixed arity in- 
dividual function symbols flexible arity individual function symbols 

fixed arity sequence function symbols flexible arity sequence function sym- 
bols Each set of variables is countable. Each set of function symbols is 

finite or countable. Besides, the alphabet contains the parenthesis ‘)’ and 
the comma V- We will use the following denotations: V := Vind U Vseq; -^ind := 

-irFix I I -irFlex. -77 . -rFix 1 1 -rFlex. -ttFIx . -rFix 1 1 -irFix. -rFlex . -rFlex 1 1 -irFlex. 

‘^Ind ^ ‘^Ind ’ ‘^Seq • ‘^Seq ^ *^Seq ’ ’ ‘^Ind ^‘^Seq’ ’ ‘^Ind ^ *^Seq ’ 

T := iFind U iFseq = U The arity of / G is denoted by Ar{f). A 

function symbol c G is called a constant if Ar{c) = 0. 

Definition 1. A term over T and V is either an individual or a sequence term 
defined as follows: 

1. Ift€ Vind (resp. t G VseqJ, then t is an individual (resp. sequence) term. 

2. If f G il^ind (resp. f G Ar{f) = n, n > 0, and t\, . . . ,tn ire individual 

terms, then /(ti,...,t„) is an individual (resp. sequence) term. 

3. If f G (resp. f G and (n > 0) are individual or 

sequence terms, then /(ti,...,t„) is an individual (resp. sequence) term. 

The head of a term t = f(ti, . . . ,tn), denoted by Head(t), is the function 
symbol /. We denote by V), 7seq(lF, V), and T{T,V), respectively, the 

sets of all individual terms, all sequence terms, and all terms over T and V. An 
equation over T and V is a pair (s, t), denoted by s « t, where s, t G T\^d(fF ^ V). 

Example 1 . Let a:, y G Vmd, x G Vseq, / G , 9 e 7 e g G 

Ar{g) = 2, and Ar(g) = 1. Then f{x,g{x,y)) and f(x,f{x,x,y)) are indi- 
vidual terms; f(x,f{x,x,y)) and g{f{x,x,y)) are sequence terms; f(x,g(x)), 
f{x,g(x,y)) and f(x,g{x,y)) are not terms; f(x,g{x,y)) « g(x,y) is an equa- 
tion; f{x,g(x,y)) « g{x,y), x « f(x) and g{x) « f(x) are not equations. 

If not otherwise stated, the following symbols, maybe with indices, are used 
as metavariables: x and y - over individual variables; x, y, 1 - over sequence 
variables; v - over (individual or sequence) variables; f,g,h- over individ- 
ual function symbols; f,g,h- over sequence function symbols; a, b, c - over 
individual constants; a,b,c- over sequence constants; s, t, r, q - over terms. 

Let T be a term, a sequence of terms, or a set of terms. Then we denote by 
lVar{T) (resp. by SVar(T)) the set of all individual (resp. sequence) variables 
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in T; by Var{T) the set lVar{T) U SVar{T); by XTun{T) (resp. by STun{T)) 
the set of all individual (resp. sequence) function symbols in T; by Tix{T) (resp. 
by Tlex{T)) the set of all fixed (resp. flexible) arity function symbols in T. 

Definition 2. A variable binding is either a pair x ^ t where t € Ti^a{T,V) 
and t ^ x, or an expression x . . . , ^ where n > 0, for all 1 < i < n 

we have U € T (iF, V), and if n = 1 then ti yf x. 

Definition 3. A sequence function symbol binding is an expression of the form 
f where m > 1, ifm = 1 then f yf 'gi, and either f G 

■^Seq; -4f(7) = -4r(^) = • • • = Ar(f^), or 7,^, ■ • ■ G 

Definition 4. A substitution is a finite set of bindings {xi t\,...,Xn 

tn,Xi ^ ^s\,...,sl^~^,...,Xm ^ '“sf , . . . , /l '“gl ,..., 5, \ 1-^ 

where n,m,r > 0, a;i, . . . , a;„, xi, . . . ,Xm are distinct variables and 
fi, . . . , fr are distinct sequence function symbols. 

Lower case Greek letters are used to denote substitutions. The empty sub- 
stitution is denoted by e. 

Definition 5. The instance of a term t with respect to a substitution a, denoted 
ta, is defined recursively as follows: 

j _ f t, if a: 1 G (J, 

X, otherwise. 

2 if ^ '~ti , . . . ,t„“' G CT, n > 0, 

( X, otherwise. 

3. £{ti,...,tn)(J = f{ti<J,...,tnCr). 

I f{ti,...,tu)(J = 

f W(hcr, . . .,tn<j), ■ ■ ■ ,gXl{ti(J, . . . ,t„cr), if / 1-^ . . .,gXl~' G (7, 

X /(Go", . . . , tncr), otherwise. 

Example 2. Let a = {x a, y f{x),x i— > ' \y '~a,x~',g Then 

f{x,x,g{y,g{)),y))a = f{a,J[{f{x),gT{),g^{)),g^{f{x),g^{),^{)),a,x). 

Definition 6. The application of a on f, denoted fa, is a sequence of function 
symbols . . . , ^ if f ■■■! IXP G a. Otherwise fa = f. 

Applying a substitution 6* on a sequence of terms '~ti, . . . , t„~' gives a sequence 
of terms ’~ti9, . . . , tn9~'. 

Definition 7. Let a be a substitution. (1) The domain of a is the set 'Dom(a) = 
{I \ la ^ ?} of variables and sequence function symbols. (2) The codomain of a 
is the set Cod{a) = {la \ I G T>om{a)} of terms and sequence function symbols'^. 
(3) The range of a is the set TZan{a) = Var(Cod(a)) of variables. 

® To improve readability, we write sequences that bind sequence variables between 
and 

^ Note that the codomain of a substitution is a set of terms and sequence function 
symbols, not a set consisting of terms, sequences of terms, sequence function symbols, 
and sequences of sequence function symbols. For instance, Cod{{x f{a),x 
'~a,a,b'^,ci-^ '"^,cj“'}) = {/(a), a, 6, ^, ^}. 
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Definition 8. Let a and be two substitutions: 



= { Xi ^ ti, . . . ,Xn ^ tn,Xi ^ s\, . . . , s\^~^ , . . . ,Xm 



1 ■ ■ ■ 1 > 






'& = ^ rn',yi ^ql, . . . . . . ,ym' ^qT >•• 

gi ^ ^gh ■ ■ ■,g\~', ^g{', ■ ■ • “'} • 

Then the composition of a and d, ad, is the substitution obtained from the set 

{xi^ txd, ...,Xn^ tnd,xT ^ . . ■ , sl^d ~' , . . . 1-^ 

Ti ^ ^lld, . . .,7ld^, ^7!^, ■ ■ > 

yi'-^ri,...,yn' i-^rn',yT<-^'~ql,...,ql>^~',...,y^<-^'~qT 

gi ^ ^gh ■ ■ • ■■■,gL^^ ^gl', ■ ■ ■,gf\~'} 



by deleting 

1. all the bindings Xi tid (1 < i < n) for which Xi = Ud, 

2. all the bindings 'xi ■ ■ ■ ,s],.d~' (1 < i < m) for which the sequence 

s\d, . . . ,s]..d consists of a single term lei, 

3. all the sequence function symbol bindings fi f{d, . . . , ffd~' (1 < i < r) 
such that the sequence f[d, . . . , fl d consists of a single function symbol fi, 

4- all the bindings yi^ ri (1 <i < n' ) such that yt € {x\, . . . , Xn\, 

5. all the bindings yi ’~q\, . . . , q\, <i < m' ) with yi G {irT, . . . ,xiii}, 

6. all the sequence function symbol bindings 'gi g\, ■ ■ ■ , g},.~' (^ < i < r' ) 
such that ^ G {/i, . . . , fr}- 

Example 3. Let a = {x ^ y,x ^ '~y,x~',y f{a,b),y,'g{x)~', f '~g,h~'} 

and d = {y 1 -^ X, y 1 -^ X, ~x 1 -^ ' \g '~'gi,'g 2 ^} be two substitutions. Then 
ad = {y^ x,y^ ^ f{a,b),x,gi{),g^{y,J '~gi,g^,h~',gi-^ '~W,g2~'}- 

Definition 9. A substitution a is called linearizing away from a finite set of 
sequence function symbols Q iff the following three conditions hold: (1) Cod{a) n 
Q = 0. (2) For all f,~g& Vom{a) HQ, if f g, then {fa} n {ga} = 0. (3) If 
f ^ '~W ■ • ■ ) ViP G f & Q, then 'gi ^~gj for all 1 < i < j < n. 

Intuitively, a substitution linearizing away from Q either leaves a sequence 
function symbol in Q “unchanged”, or “moves it away from” Q, binding it with 
a sequence of distinct sequence function symbols that do not occur in Q, and 
maps different sequence function symbols to disjoint sequences. 

Let if be a set of equations over IF and V. By «£; we denote the least con- 
gruence relation on T(iF, V) that is closed under substitution application and 
contains E. More precisely, contains E, satisfies reflexivity, symmetry, tran- 
sitivity, congruence, and a special form of substitutivity: For all s,t G T(iF, V), 
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if s t and sa,ta € T{T,V) for some cr, then sa ta. Substitutivity in this 
form requires that sa and ta must be single terms, not arbitrary sequences of 
terms. The set is called an equational theory defined by E. In the sequel, 
we will also call the set E an equational theory, or S-theory. The signature of 
E is the set Sig{E) = XTun{E) U STun{E). Solving equations in an £^-theory 
is called E -unification. The fact that the equation s ~ t has to be solved in an 
S-theory is written as s^'^^t. 

Definition 10. Let E be an equational theory with Sig{E) C T . An ill-unifi- 
cation problem over T is a finite multiset E = {si t„} of 

equations over T and V. An £l-unifier of E is a substitution a such that a is 
linearizing away from STun{E) and for all 1 < i < n, SiU tiU. The set of 
all E-unifiers of E is denoted by Ue{E), and E is iH-unifiable iffUE{E) 0. 

If ti, . . . , s„ tn} is a unification problem, then Sj, ti G V) 

for all 1 < i < n. 

Example f. Let E = {f{g{x,y,a)) f{g{c,b,x))}. Then {x^o[,y^ 

X I— ^ a, Cl— !■ '"cT, C 2 ~'} G ld(h{E). 

Let E = {f{g{x,y,a)) f{h{c,x))}. Then U${E) = 0. If we did not require 

the iH-unifiers of a unification problem to be linearizing away from the sequence 
function symbol set of the problem, then E would have 0-unifiers, e.g., {x i-^- 
cq , y I— *■ '~C 2 , b~',x 1 -^ a, 3 '— *■ h,c^ '"cT, C 2 ~'} would be one of them. 

In the sequel, if not otherwise stated, E stands for an equational theory, X 
for a finite set of variables, and Q for a finite set of sequence function symbols. 

Definition 11. A substitution a is called erasing on X modulo E iff either 
f{v)a ~E /() for some f G Sig{E) and v & X , orx^' ' G cr for some x G X. 
We call a non-erasing on X modulo E iff a is not erasing on X modulo E. 

Example 5. Any substitution containing x i-^ ' 'is erasing modulo A = 0 on 
any X that contains x. 

Let E = {f(x,f{y),X) « f(x,y,X)} and X = {x,x}. Then any substitution 
that contains x i-^- /(), or a; i-^- ' ', or a; i-^- '~ti, . . . , with n > 1 and ti = ■ ■ ■ = 
tn = /(), is erasing on A modulo E. For instance, the substitutions {x /()}, 
^ /()}. ^ '“/(), /(),/(), /()”'} are erasing on A modulo E. 

Definition 12. A substitution a agrees with a substitution d on X and Q mod- 
ulo E, denoted a =^’® t), iff (1) for all x G X, xa ~e xd; (2) for all f G Q, 
fa = fid; (3) for all x G X , there exist ti, . . . , si, . . . , s„ G T{tF, V), n > 0, 
such that xa = '~t \, . . . , xt) = '~si, . . . , s„~' and ti ^e Si for each 1 < i < n. 

Example 6. Let a = {x ^ a}, r? = {x i-^- ^b,c~',a i-^- '~b,cP}, and ip = {x ^ 
’~b,cP,a 1 -^ ’~b,cP}. Let also A = {T}, Q = {a}, and £1 = 0. Then ap =^’® id. 

Definition 13. A substitution a is more general (resp. strongly more general^ 
than t} on X and Q modulo E, denoted a< e’^iD (resp. crH iff o' p tt 

for some substitution (resp. substitution non-erasing on X modulo E) p. 
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Example 1. Let a = {x y}, = {x '~a, IP, y '~a, 6”'}, rj = {x y 

= {x,y}, Q = %, E = %. Then a< cr^ e’^V- 

A substitution ■& is an E-instance (resp. strong E-instance) of cr on A and 
X Q X Q X Q 

Q iff a< t) (resp. crH^’ t)). The equivalence associated with < (resp. 

with ^ ) is denoted by (resp. by ). The strict part of < (resp. 

is denoted by (resp. Definition 13 implies C 

Definition 14. A set of substitutions S is called minimal (resp. almost min- 
imal j with respect to X and Q modulo E iff two distinct elements of S are 
incomparable with respect to (resp. 

Minimality implies almost minimality, but not vice versa: A counterexample 
is the set {cr,ri} from Example 7. 

Definition 15. A complete set of E-unifiers of an E -unification problem E is 
a set S of substitutions such that (1) S C IAe{E), and (2) for each -d G IAe{E) 
there exists a G S such that a< where X = Var{E) and Q = STun{r). 

The set S is a minimal (resp. almost minimal^ complete set of A-unifiers of 
E, denoted mcuE{E) (resp. amcuE{E)) iff it is a complete set that is minimal 
(resp. almost minimal) with respect to X and Q modulo E. 

Proposition 1. An E -unification problem E has an almost minimal complete 
set of E-unifiers iff it has a minimal complete set of E-unifiers. 

If E is not A-unifiable, then mcuE{E) = amcuE{E) = 0. A minimal (resp. 

almost minimal) complete set of E-unifiers of E, if it exists, is unique up to the 
x,Q x,Q 

equivalence (resp. ), where X = Var{E) and Q = SEun{E). 

Example 8. \. E = {f(x) f{V)}- Then mcU(h{E) = {{x y}}, amcU(h{E) = 

{{T 1 -^ y}, {x 

2. E = {f{x,x,y) f{f{x),x,a,b)}. Then mcuii,{E) = amcud^{E) = {{x 

/ 0 ,x^^^,y^^/(),a, 6 ^}}. 

3. E = {/(a, x) /(x,a)}. Then mcu${E) = amcu${E) = {{x ' '},{x 

a}, {x '~a, a”'}, . . .}. 

X E = {f(x,y,x) f{c,a)}. Then mcud^{E) = amcud^{E) = {{x 

c,x ^ a}, {x ^ c,y ^ ' ', x a}, {x ^o[,y ^C 2 ,x ^ a,c^ '"cT, ci'”'}}. 

Definition 16. A set of substitutions S is disjoint (resp. almost disjoint^ wrt 
X and Q modulo E iff two distinct elements in S have no common E-instance 
(resp. strong E-instance) on X and Q, i.e., for all a,id G S, if there exists ip 
such that (resp. and'd<^’^(p (resp. thena = 'd. 

Disjointness implies almost disjointness, but not vice versa: Consider again 
the set {cr, 77 } in Example 7. 

Proposition 2. If a set of substitutions S is disjoint (almost disjoint) wrt X 
and Q modulo E, then it is minimal (almost minimal) wrt X and Q modulo E. 




Solving Equations Involving Sequence Variables and Sequence Functions 163 



However, almost disjointness does not imply minimality: Again, take the set 
{<7,1]} in Example 7. On the other hand, minimality does not imply almost 
disjointness: Let a = {x f{a,y)}, d = {x A = {x}, Q = 0, and 

E = %. Then {a, -d} is minimal but not almost disjoint with respect to X and Q 
modulo E, because <p and <p, with <p = {x ^ f(a, 6)}, but a ^ "d. 

The same example can be used to show that almost minimality does not imply 
almost disjointness either. From these observations we can also conclude that 
neither minimality nor almost minimality imply disjointness. 

The equational theory E = 0 is called the free theory with sequence variables 
and sequence function symbols. Unification in the free theory is called the syn- 
tactic sequence unification. The theory E = {f(x,f(lj),z) « f{x,y,z)} that we 
first encountered in Example 5 is called the flat theory, where / is the flat flexible 
arity individual function symbol. We call unification in the flat theory the F- 
unification. Certain properties of this theory will be used in proving decidability 
of the syntactic sequence unification. 



3 Decidability and Unification Type 

We show decidability of a syntactic sequence unification problem in three steps: 
First, we reduce the problem by unifiability preserving transformation to a uni- 
fication problem containing no sequence function symbols. Second, applying yet 
another unifiability preserving transformation we get rid of all free flexible arity 
(individual) function symbols, obtaining a unification problem whose signature 
consists of fixed arity individual function symbols and one flat flexible arity in- 
dividual function symbol. Finally, we show decidability of the reduced problem. 

Let T be a general syntactic sequence unification problem and let Q = 
SEun{r). Assume Q yf 0. We transform E performing the following steps: (1) 
Introduce for each n-ary f G Q a new n-ary symbol gj G • (^) Introduce 
for each flexible arity f G Q a new flexible arity symbol gj G (3) Replace 

each sequence function symbol f in E with the corresponding gj. 

The transformation yields a new unification problem A that does not con- 
tain sequence function symbols. We impose the first restriction on individual 
variables, shortly RIVl, on A demanding that for any syntactic unifier A of A 
and for any x G Vindj 'Head{x\) must be different from any newly introduced 
individual function symbols. 

Theorem 1. E is syntactically unifiable iff A with the RIVl is syntactically 
unifiable. 

Remark E Unifiability of A without the RIVl does not imply unifiability of E : 
Let E be [f{x) /(c)}. Then A = {f{x) Wg /(cc)j- E is not unifiable, while 

{x ^ Cc} is a unifier of A, because x G Vind can be bound with Cc G TindiE, V). 

Next, our goal is to construct a general syntactic sequence unification prob- 
lem without sequence function symbols that is unifiable (without restrictions) 
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iff A with the RIVl is syntactically unifiable. We construct a finite set of in- 
dividual terms I consisting of a new individual constant c, exactly one term of 
the form h(yi, . . . ,y„) for each fixed arity h G ITun{r) such that n = Ar{h) 
and yi, ■ ■ ■ ,yn are distinct individual variables new for X and A, and exactly 
one term of the form h{x) for each flexible arity h G XTun{r) such that a; is a 
sequence variable new for X and A. 

Theorem 2. Let A have the form {s t} with XVar{A) = {x\, . . . ,Xn} and 
g G be a new symbol with Ar{g) = n + 1. Then A with the RIVl is 

syntactically unifiable iff there exist ri, . . . , G X such that the general syntac- 
tic unification problem (without sequence function symbols) {g{s, xi, ■ ■ ■ ,Xn) 
g(t,ri, . . . ,Vn)} is unifiable. 

Thus, we have to show that unifiability of a general syntactic unification 
problem A without sequence function symbols is decidable. We assume that 
Tlex{A) yf 0, otherwise A would be a Robinson unification problem. We trans- 
form A performing the following steps: (1) Introduce a new fiat symbol seq G 
(2) Introduce a new unary symbol gg G for each / G Tlex{A). (3) 
Replace each term /(ri, . . . , r^), m > 0, in Z\ by gf{seq{ri , . . . , Vm))- 

The transformation yields a new general fiat unification problem O. Sequence 
variables occur in O only as arguments of terms with the head seq. We impose 
the second restriction on individual variables, RIV2, on 0 demanding that, for 
any F-unifier i? of 0 and for any x G Vind, TLead{x‘d) seq. 

Theorem 3. A is syntactically unifiable iff 0 with the RIV2 is F-unifiable. 

Remark 2. F-unifiability of 0 without the RIV2 does not imply syntactic unifi- 
ability of A\ Let A be {/(x) /(a, 6)}, / G Then 0 = {gf{seq{x)) 

gf{seq{a, 6))}. Obviously A is not unifiable, while {x i-^- seq{a, 6)} is an F-unifier 
of 0, because seq{seq{a,b)) seq{a,b). 

Next, our goal is to construct a general F-unification problem that is F- 
unifiable (without restrictions) iff 0 with the RIV2 is F-unifiable. First, we 
construct a finite set of individual terms consisting of a new individual con- 
stant d and exactly one term of the form h{y \, . . . , y„) for each h G Fix{0) such 
that n = Ar{h) and yi, . . . ,yn are distinct individual variables new for J' and 0. 

Theorem 4. Let 0 be {s t} with XVar{0) = {x\, . . . ,Xn\ and h G 

be a new symbol with Ar{h) = n -I- 1. Then 0 with the RIV2 is F-unifiable iff 
for some ri, . . . , r„ G the general F-unification problem {h{s, xi, . . . , x„) 
h(t, ri, . . . , r„)} is F-unifiable. 

Thus, we are left with proving that unifiability of an F-unification problem 
(L, whose signature consists of fixed arity individual function symbols and the 
only flexible arity fiat individual function symbol seq, is decidable. 

Let F be an F-unification problem obtained from by replacing each x G 
SVar{<F) with a new individual variable x^,. It is easy to see that is unifiable 
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iff S' is. Indeed, replacing each variable binding x . . . , in a unifier of 

<P with Xip seq{si, . . . , s„) yields a unifier of and vice versa. 

We can consider S' as an elementary unification problem in the combined 
theory E 1 LIE 2 , where Ei is a fiat equational theory over {seq} and Vind, and E 2 
is a free equational theory over Eix{E) and Vind- i?i -unification problems are, 
in fact, word equations, while if2-unification is Robinson unification. Using the 
Baader-Schulz combination method [2] , we can prove the following theorem: 

Theorem 5. F -unifiability ofE is decidable. 

Hence, unifiability of general syntactic sequence unification problem is decid- 
able. 

As for the unification type, in Example 8 we have seen that mcM0(U) is 
infinite for E = {f{a,x) f{x,a)}. It implies that the syntactic sequence uni- 

fication is at least infinitary. To show that it is not nullary, by Proposition 1, 
it is sufficient to prove existence of an almost minimal set of unifiers for every 
syntactic sequence unification problem. We do it in the standard way, by proving 
that for any E, every strictly decreasing chain <T2>-0 . of substitu- 

tions in U(h{E) is finite, where X = Var{E) and Q = SEun{E). Hence, syntactic 
sequence unification is infinitary. 

4 Relation with Order-Sorted Higher-Order Unification 

Syntactic sequence unification can be considered as a special case of order-sorted 
higher-order E-unification. Here we show the corresponding encoding in the 
framework described in [9] . We consider simply typed A-calculus with the types 
i and o. The set of base sorts consists of ind, seq, seqc, o such that the type of 
o is o and the type of the other sorts is i. We will treat individual and sequence 
variables as first order variables, sequence functions as second order variables and 
define a context P such that P(a;) = ind for all x G Vind, V(x) = seq for all x G 
Vseq, r(/) = seq seqc for each / G and P(/) = ind ^ ind — > 

_ n times 

seqc for each / G with Ar{f) = n. Individual function symbols are treated 

as constants. We assign to each / G a functional sort seq — > ind and 

to each / G with Ar{f) = n a functional sort ind — > ■ ■ ■ — ^ ind ^ ind. 

n times 

We assume equality constants for every sort s. In addition, we have two 
function symbols: binary ' ' of the sort seq — > seq seq and a constant [] of 
the sort seq. Sorts are partially ordered as [ind < seqc] and [seqc < seq]. The 
equational theory is an AU-theory, asserting associativity of ' ' with [] as left 
and right unit. We consider unification problems for terms of the sort ind where 
terms are in /3?7-normal form containing no bound variables, and terms whose 
head is ' ' are flattened. For a given unification problem E in this theory, we 
are looking for unifiers that obey the following restrictions: If a unifier a binds a 
second order variable / of the sort seq ^ seqc, then fa = Xx.'~'^(x ) , . . . , '^(x)~' 
and if cr binds a second order variable / of the sort ind ^ ^ ind— > seqc, 

n times 
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then fa = Xxi. . . .Xn-'~'^{xi, . . . ,Xn), ■ ■ ■ . . . ,Xn)~', where m > I and 

are fresh variables of the same sort as /. 

Hence, syntactic sequence unification can be considered as order-sorted se- 
cond-order AU-unification with additional restrictions. Order-sorted higher-or- 
der syntactic unification was investigated in [9], but we are not aware of any 
work done on order-sorted higher-order equational unification. 

5 Unification Procedure 

In the sequel we assume that F, maybe with indices, and F' denote syntactic 
sequence unification problems. A system is either the symbol _L (representing 
failure), or a pair {F;a). The inference system it consists of the transformation 
rules on systems listed below. The function symbol g G in the rule PD2 is 

new. In the Splitting rule fi and /2 are new sequence function symbols of the 
same arity as / in the same rule. We assume that the indices n, m,k,l > 0. 
Projection (P): 

{r ; a) => a-ff), where e, Vom{'&) C SVar{r) and Codif}) = 0. 

Trivial (T): 

s}ur'; o)^{F'- a). 

Orient 1 (Ol): 

({s ~0 a;} UP'; a) 

Orient 2 (02): 

({/(■^5^l5---7^7l) tm)} U P ; c) 

.,tm) /(s,si,. . . ,s„)} UP'; a), if s ^ Vse 

Solve (S): 

{{x «0 i] U P'; a) (P'l?; ad), if x ^ IVarft) and = {x t}. 

Total Decomposition (TD): 

({/(si,^. . . ,s„) /(p,...,t„)} UP'; a) => 

({Sl ti, . . . , Sn tn\ U P ; c) 

if /(si, . . . , s„) 7 ^ /(ti, . . ■ ,tn), and Si,ti G 71nd(P, V) for all 1 < i < n. 

Partial Decomposition 1 (PDl): 

({/(Sl,^- ■ • ,S„) /(tl, ...,tm)} UP'; cr) ^ => 

({si ~0 tl, . . . , Sk — 1 ~0 tk — 1 , f{sk, ■ ■ ■ , Sn) ~0 f{tk, . . . , tm)} U P ; (t) 

if /(si, . . . , Sn) /(tl, . . . , tm), for some 1 < fc < min{n, m), 

Sk G Pseq(P, V) or tk G Pseq(P, V), and Si, U G Pind(P, V) for all 1 < i < fe. 

Partial Decomposition 2 (PD2): 

({/(/('■i,- • • ,Cfc),si,. . . ,s„) Kil f(j{qx,...,qi),U ,.. . ,tm)} UP'; cr) 

{{p(ri,...,rfc) g{qi,...,qi),f{si,...,Sn) ~l .,tm)}'JF'- a). 

if f{7{ri,---,rk),si,...,Sn) -f f(f{qi,...,qi),ti , . . . , tm)- 

Sequence Variable Elimination 1 (SVEl): 

{{f[x,Sl,...,Sn) ~l f{x,tl,...,tm)}'JF'- a) => 

({/(Si,. . . ,s„) f{ti,...,tm)}U F'- a) 

if fix, Si , . . . ,s„) 7 ^ f{x,ti 



{{x^l s}ur';a), ifs^Vind. 
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Sequence Variable Elimination 2 (SVE2): 

({/(x,Si,...,S„) /(t,ti,...,tm)}ur'; cr) => 

({/(si, . . . ,s„)i9 «0 /(ti, . . . u r'l?; cn?) 

if ® ^ SVar{t) and = {ir t}. 

Widening 1 (Wl): 

{{f{x,si,...,s„) «0 /(t,ti,...,tm)}ur'; a) => 

, s„i?) «0 /(tii9, . . . , tmi?)} U r'i9; cri9) 
if ® ^ SVar{t) and = {ir 

Widening 2 (W2): 

({/(x,si,...,s„) /(y,ti,...,t,„)}ur'; a) 

({/(fill?, . . . , s„i?) /(y, til?, . . . , tmi?)} U r'l?; cn?) 

where •& = {y 

Splitting (Sp): 

({/(si, . . . , s„)d /(/ 2 (ri, . . . , rfc), ti, . . . , U E'l?; cn?) 

if ® ^ SVar(f{ri,...,rk)) and i9 = {x ■ ■ ■ ,rk)}{J ^ '"/i,/ 2 “'}. 

We may use the rule name abbreviations as subscripts, e.g., (A; ai) =4>p 
(A; o" 2 ) for Projection. We may also write (A; <^i) ==>bt (A; CT 2 ) to indicate 
that (A; CTi) was transformed to (A; cr 2 ) by some basic transformation (i.e., 
non-projection) rule. P, SVE2, Wl, W2, and Sp are non-deterministic rules. 

A derivation is a sequence (Aicri) (A;o’ 2 ) ••• of system trans- 

formations. A derivation is fair if any transformation rule which is continuously 
enabled is eventually applied. Any finite fair derivation A A 

is maximal, i.e., no further transformation rule can be applied on A- 

Definition 17. A syntactic sequence unification procedure is any program that 
takes a system {F ; s) as an input and uses the rules in 11 to generate a tree of 
fair derivations, ealled the unification tree for F , IAT{F), in the following way: 

L The root of the tree is labeled with {F; s); 

2. Eaeh branch of the tree is a fair derivation either of the form {F; s) =^p 
(A; CTi) =^BT (A; 0 - 2 ) ^>bt ••• or {F; s) =1>bt (A; cri) =^BT 
(A; 0 - 2 ) =^BT • • • • The nodes in the tree are systems. 

3. If several transformation rules, or different instanees of the same transfor- 
mation rule are applicable to a node in the tree, they are applied concurrently. 

4 . The decision procedure is applied to the root and to each node generated by a 

non-deterministic transformation rule, to decide whether the node contains 
a solvable unification problem. If the unification problem A in a node {A; 6) 
is unsolvable, then the branch is extended by {A; 6) -L. 

The leaves of UT{F) are labeled either with the systems of the form (0; a) 
or with _L. The branches of UF{F) that end with (0; a) are called successful 
branches, and those with the leaves T are failed branches. We denote by Sol${F) 
the solution set of F, i.e., the set of all ct-s such that (0; a) is a leaf of UF{F). 
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5.1 Soundness, Completeness and Almost Minimality 

In this section we assume that X = Var{r) and Q = STun{r) for a syntactic 
sequence unification problem F . The soundness theorem is not hard to prove: 

Theorem 6 (Soundness). If {F; e) (0; D), then D G Ufh{F). 

Completeness can be proved by showing that for any unifier D of F there 
exists a derivation from {F ; e) that terminates with success and the substitution 
in the last system of the derivation is strongly more general than D: 

Lemma 1. For any G U(h{F) there exists a derivation of the form (Iq; CTo) =^x 
(A; CTi) = 4 >bt (A; 0-2) • • • ^'bt (0; o-„) with Fi = F and ai = e such 

that if D is erasing on X then X = P, otherwise X = BT, and cr„^ g it. 

From Theorem 6, Lemma 1, and the fact that zf e' C , by Defini- 

tion 17 and Definition 15 we get the completeness theorem: 

Theorem 7 (Completeness). Sol(h{F) is a complete set of unifiers of F. 

The set Sol^{F), in general, is not minimal with respect to Var(F) and 
SFun{F) modulo the free theory. Just consider F = {f{x) fiV)}, then 
Solfi,{F) = {{x 1 -^ y}, {x 1 -^ '~~',y However, it can be shown that 

Sol(h{F) is almost minimal. In fact, the following stronger statement holds: 

Theorem 8 (Almost Disjointness). 5o^0(T) is almost disjoint wrt X and Q. 

Theorem 7, Theorem 8 and Proposition 2 imply the main result of this sec- 
tion: 

Theorem 9 (Main Theorem). Solih{F) = amcuih{F). 

6 Conclusions and Related Work 

We showed that general syntactic unification with sequence variables and se- 
quence functions is decidable and has the infinitary type. We developed a unifi- 
cation procedure and showed its soundness, completeness and almost minimality. 

Historically, probably the first attempt to implement unification with se- 
quence variables (without sequence functions) was made in the system MVL [7]. 
It was incomplete because of restricted use of widening technique. The restriction 
was imposed for the efficiency reasons. No theoretical study of the unification 
algorithm of MVL, to the best of our knowledge, was undertaken. 

Richardson and Fuchs [16] describe another unification algorithm with se- 
quence variables that they call vector variables. Vector variables come with their 
length attached, that makes unification finitary. The algorithm was implemented 
but its properties have never been investigated. 

Implementation of first-order logic in Isabelle [14] is based on sequent cal- 
culus formulated using sequence variables (on the meta level). Sequence meta- 
variables are used to denote sequences of formulae, and individual meta- variables 
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denote single formulae. Since in every such unification problem no sequence 
meta- variable occurs more that once, and all of them occur only on the top 
level, Isabelle, in fact, deals with a finitary case of sequence unification. 

Word equations [1,8] and associative unification [15] can be modelled by 
syntactic sequence unification using constants, sequence variables and one flex- 
ible arity function symbol. In the similar way we can imitate the unification 
algorithm for path logics closed under right identity and associativity [17]. 

The Set-Var prover [4] has a construct called vector of (Skolem) functions 
that resembles our sequence functions. However, unification does not allow to 
split vectors of functions between variables: such a vector of functions either 
entirely unifies with a variable, or with another vector of functions. 

The programming language of Mathematica uses pattern matching that 
supports sequence variables (represented as identifiers with “triple blanks”, e.g., 
X ) and flexible arity function symbols. Our procedure (without sequence func- 

tion symbols) can imitate the behavior of Mathematica matching algorithm. 

Buchberger introduced sequence functions in the Theorema system [6] to 
Skolemize quantified sequence variables. In the equational prover of Theorema 
[11] we implemented a special case of unification with sequence variables and 
sequence functions: sequence variables occurring only in the last argument po- 
sitions in terms. It makes unification unitary. Similar restriction is imposed on 
sequence variables in the RelFun system [5] that integrates extensions of logic 
and functional programming. RelFun allows multiple-valued functions as well. 

In [10] we described unification procedures for free, flat, restricted flat and 
orderless theories with sequence variables, but without sequence functions. 

Under certain restrictions sequence unification problems have at most finitely 
many solutions: sequence variables in the last argument positions, unification 
problems with at least one ground side (matching as a particular instance), all 
sequence variables on the top level with maximum one occurrence. It would be 
interesting to identify more cases with finite or finitely representable solution 
sets. 
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Abstract. In this paper, we present the formal verification of a Com- 
mon Lisp implementation of Buchberger’s algorithm for computing 
Grobner bases of polynomial ideals. This work is carried out in the Acl2 
system and shows how verified Computer Algebra can be achieved in an 
executable logic. 



1 Introduction 

Computer Algebra has experienced a great development in the last decade, as 
can be seen from the proliferation of Computer Algebra Systems (CAS). These 
systems are the culmination of theoretical results obtained in the last half cen- 
tury. One of the main achievements is due to B. Buchberger. In 1965 he devised 
an algorithm for computing Grobner bases of multivariate polynomial ideals, 
thus solving the ideal membership problem for polynomial rings. Currently, his 
algorithm is available in most CAS and its theory, implementation and numerous 
applications are widely documented in the literature, e.g. [2,4]. 

The aim of this paper is to describe the formal verification of a naive Com- 
mon Lisp implementation of Buchberger’s algorithm. The implementation and 
formal proofs have been carried out in the Acl 2 system, which consists of a pro- 
gramming language, a logic for stating and proving properties of the programs, 
and a theorem prover supporting mechanized reasoning in the logic. 

The importance of Buchberger’s algorithm in Computer Algebra justifies on 
its own the effort of obtaining a formal correctness proof with a theorem prover, 
and this is one of the motivations for this work. Nevertheless, this goal has 
already been achieved by L. Thery in [13], where he gives a formal proof using 
the COQ system and explains how an executable implementation in the Ocaml 
language is extracted from the algorithm defined in COQ. In contrast, in Acl2 
we can reason directly about the Lisp program implementing the algorithm, i.e. 
about the very program which is executed by the underlying Lisp system. There 
is a price to pay: the logic of Acl2 is a quantifier-free fragment of first-order 
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logic, less expressive^ than the logic of COQ, which is based on type theory. We 
show how it is possible to formalize all the needed theory within the Acl 2 logic. 

The formal proofs developed in Acl 2 are mainly adapted from Chap. 8 of [1]. 
As the whole development consists of roughly one thousand Acl 2 theorems and 
function definitions, we will only scratch its surface presenting the main results 
and a sketch of how the pieces fit together. We will necessarily omit many details 
that, we expect, can be inferred from the context. 



2 The Acl2 System 

Acl2 formalizes an applicative subset of Common Lisp. In fact, the same lan- 
guage, based on prefix notation, is used for writing Lisp code and stating the- 
orems about it^. The logic is a quantifier-free fragment of first-order logic with 
equality. It includes axioms for propositional logic and for a number of Lisp 
functions and data types. Inference rules include those for propositional calcu- 
lus, equality and instantiation (variables in formulas are implicitly universally 
quantified) . One important inference rule is the principle of induction, that per- 
mits proofs by well-founded induction on the ordinal cq (the logic provides a 
constructive definition of the ordinals up to eo). 

By the principle of definition new function definitions are admitted as axioms 
(using defun) only if its termination is proved by means of an ordinal measure 
in which the arguments of each recursive call, if any, decrease. In addition, the 
encapsulation principle allows the user to introduce new function symbols (using 
encapsulate) that are constrained to satisfy certain assumptions. To ensure that 
the constraints are satisfiable, the user must provide a witness function with the 
required properties. Within the scope of an encapsulate, properties stated as 
theorems need to be proved for the witnesses; outside, these theorems work as as- 
sumed axioms. Together, encapsulation and the derived inference rule, functional 
instantiation, provide a second-order aspect [5,6]: theorems about constrained 
functions can be instantiated with function symbols if they are proved to have 
the same properties. 

The Acl2 theorem prover mechanizes the logic, being particularly well suited 
for obtaining automated proofs based on simplification and induction. Although 
the prover is automatic in the sense that once a proof attempt is started (with 
defthm) the user can no longer interact, nevertheless it is interactive in a deeper 
sense: usually, the role of the user is to lead the prover to a preconceived hand- 
proof, by proving a suitable collection of lemmas that are used as rewrite rules 
in subsequent proofs (these lemmas are usually discovered by the user after the 
inspection of failed proofs) . We used this kind of interaction to obtain the formal 
proofs presented here. For a detailed description of Acl2, we refer the reader to 
the Acl2 book [5]. 

^ Nevertheless, the degree of automation of the Acl 2 theorem prover is higher than 
in other systems with more expressive logics. 

^ Although we are aware that prefix notation may be inconvenient for people not used 
to Lisp, we will maintain it to emphasize the use of a real programming language. 
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3 Polynomial Rings and Ideals 

Let R = K[x\, . . . ^ Xk\ be a polynomial ring on an arbitrary commutative field 
K, where k G IN. The elements of R are polynomials in the indeterminates 
xi,. . . ,Xk with the coefficients in K. Polynomials are built from monomials of 
R, that is, power products like c • x\^ • • • , where c € K is the coefficient, 

term, and ai, . . . , G IN. 

Therefore, there are several algebraic structures that it is necessary to for- 
malize prior to the notion of polynomial. A computational theory of multivariate 
polynomials on a coefficient field was developed in [8,9]. This Acl2 formaliza- 
tion includes common operations and fundamental properties establishing a ring 
structure. The aim was to develop a reusable library on polynomials. 

Regarding polynomial representation, we have used a sparse, normalized and 
uniform representation. That is, having fixed the number of variables, a canoni- 
cal form can be associated to each polynomial. In this canonical representation 
all monomials are arranged in a strictly decreasing order, there are no null mono- 
mials and all of them have the same number of variables. The main advantage 
of this representation arises when deciding equality [9] . 

Monomial lists are used as the internal representation of polynomials. Mono- 
mials are also lists consisting of a coefficient and a term. Having selected a set 
of variables and an ordering on them, each term is uniquely represented by a 
list of natural numbers. Although most of the theory is done for an arbitrary 
field, via the encapsulation principle, we use polynomials over the field of rational 
numbers for our implementation of Buchberger’s algorithm. This alleviates some 
proofs at the cost of some generality, as Acl2 can use its built-in linear arith- 
metic decision procedure. In any case, the general theory has to be eventually 
instantiated to obtain an executable algorithm. 

The functions k-polynomialp and k-polynomialsp recognize polynomials 
and polynomial lists (with k variables and rational coefficients). Analogously, 
+, *, - and 1 0 1 stand for polynomial addition, multiplication, negation and 
the zero polynomial. Let us now introduce the notion of ideal, along with the 
formalization of polynomial ideals in Acl2. 

Definition 1. I C R is an ideal of R if it is closed under addition and under 
the product by elements of R. 

Definition 2. The ideal generated by B C R, denoted as (B), is the set of linear 
combinations of B with coefficients in R. We say that B is a basis of I C R if 
I = (B). An ideal is finitely-generated if it has a finite basis. 

Hilbert’s Basis Theorem implies that every ideal in K[xi, . . . , Xk] is finitely- 
generated, if AT is a field. Polynomial ideals can be expressed in Acl2 by taking 
this into account. Let C and F be lists of polynomials. The predicate p G (F) 
can be restated as 3C p = lin-comb{C, F), where lin-comb is a recursive function 
computing the linear combination of the elements in F with coefficients in C. 

As Acl2 is a quantifier-free logic we use a common trick: we introduce a 
Skolem function assumed to return a list of coefficients witnessing the ideal 
membership. In Acl2 this can be expressed in the following way: 
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(defun-sk<k> inO (p F) 

(exists (C) (and (k-polynomialsp C) (equal p (lin-comb C F))))) 

The use of exists in this definition is just syntactic sugar. Roughly speaking, 
the above construction introduces a Skolem function ino-witness, with argu- 
ments p and F, which is axiomatized to choose, if possible, a list C of polynomial 
coefficients such that when linearly combined with the polynomials in F, p is ob- 
tained. Thus, C is a witness of the membership of p to the ideal generated by F, 
and inO is defined by means of inO-witness. The following theorems establish 
that our definition of ideal in Acl2 meets the intended closure properties: 

(defthm Ip in <F> & q in <F> => p + q in <F> I 

(implies (and (k-polynomialp p) (k-polynomialp q) (k-polynomialsp F)) 
(implies (and (inO p F) (inO q F)) (inO (+ p q) F)))) 

(defthm |q in <F> => p * q in <F> I 

(implies (and (k-polynomialp p) (k-polynomialp q) (k-polynomialsp F)) 
(implies (inO q F) (inO (* p q) F)))) 

Whenever a theorem about inO is proved we have to provide Acl 2 with 
a hint to construct the necessary witness. For example, to prove that polyno- 
mial ideals are closed under addition we straightforwardly built an intermediate 
function computing the witness oip+q G (F) from those of p G (F) and q G (F). 

Definition 3. The congruence induced by an ideal I, written as =/, is defined 
by p=i q 4=^ p-q e I. 

The definition of =(f) in Acl 2 is immediate^: 

(defun<k> =<> (p q F) 

(inO (+ p (- q)) F)) 

Clearly, the ideal membership problem for an ideal / is solvable if, and only 
if, its induced congruence =/ is decidable. Polynomial reductions will help us to 
design decision procedures for that congruence. 

4 Polynomial Reductions 

Let <M be a well-founded ordering on monomials, p yf 0 a polynomial and let 
lm{p) denote the leader monomial of p with respect to <m- 

Definition 4. Let f ^ 0 be a polynomial. The reduction relation on polynomi- 
als induced by f, denoted as — >/, is defined such that p q if p contains a 
monomial m yf 0 such that there exists a monomial c such that m = —c • lm{f) 
and q = p c • f . If F = {/i, . . . , fk} is a finite set of polynomials, then the 
reduction relation induced by F is defined as = U?=i ^L- 

® For the sake of readability, we use defun-sk<k> and defun<k>, instead of defun-sk 
and defun. These are just macros which add an extra parameter k (the number of 
variables) to a function definition, so we do not have to specify it in each function 
application. When k is not involved, defun is used. 
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We have formalized polynomial reductions in the framework of abstract re- 
ductions developed in [11]. This approach will allow us to export, by functional 
instantiation, well-known properties of abstract reductions (for example, New- 
man’s lemma) to the case of polynomial reductions, avoiding the need to prove 
them from scratch. 

In [11], instead of defining reductions as binary relations, they are defined as 
the action of operators on elements, obtaining reduced elements. More precisely, 
the representation of a reduction relation requires defining three functions: 

1. A unary predicate specifying the domain where the reduction is defined. In 
our case, polynomials, as defined by the function k-polynomialp. 

2. A binary function, reduction, computing the application of an operator to 
a polynomial. In our case, operators are represented by structures (m, c, /) 
consisting of the monomials m and c, and the polynomial / appearing in the 
definition of the polynomial reduction relation (Def. 4) . 

3. A binary predicate checking whether the application of a given operator to 
a given object is valid. The application of an operator (m, c, /) to p is valid 
if p is a polynomial containing the monomial m, / yf 0 is a polynomial in 
F and c = —m/lm{f). Notice that the last requirement implies that lm{f) 
must divide m. This validity predicate is implemented by a function validp. 

These functions are just what we need to define in Acl2 all the concepts 
related to polynomial reductions. Let us begin defining (the symmetric clo- 
sure of We need the notion of proof step to represent the connection of 

two polynomials by the reduction relation, in either direction (direct or inverse). 
Each proof step is a structure consisting of four fields: a boolean field mark- 
ing the step direction, the operator applied, and the elements connected (eltl, 
elt2). A proof step is valid if one of its elements is obtained by a valid applica- 
tion of its operator to the other element in the specified direction. The function 
valid-proof-stepp (omitted here), checks the validity of a proof step. 

The following function formalizes in Acl2 the relation ^f- Note that due 
to the absence of existential quantification, the step argument is needed to 
explicitly introduce the proof step justifying that p ^f <1- 

(defun <-> (p q step F) 

(and (valid-proof-stepp step F) 

(equal p (eltl step)) (equal q (elt2 step)))) 

Next, we define ^f (the equivalence closure of ^f)- This can be described 
by means of a sequence of concatenated proof steps, which we call a proof Note 
that again due to the absence of existential quantification, the proof argument 
explicitly introduces the proof steps justifying that p ^f <1- 

(defun <->* (p q proof F) 

(if (endp proof) 

^ Notice that the meaning of the word “proof” here is different than in the expression 
“Acl2 proof”. This proof is just a sequence of reduction steps. In fact, we are 
formalizing an algebraic proof system inside Acl2. 




176 



I. Medina-Bulo et al. 



(and (equal p q) (k-polynomialp p) ) 

(and (k-polynomialp p) 

(<-> p (elt2 (first proof)) (first proof) F) 

(<->* (elt2 (first proof)) q (rest proof) F)))) 

In the same way, we define the relation — (the transitive closure of by 
a function called ->* (in this case, we also check that all proof steps are direct). 

The following theorems establish that the congruence ={f) is equal to the 
equivalence closure This result is crucial to connect the results about re- 
duction relations to polynomial ideals. 

(defthm Ip =<F> q => p <->F* q| 

(let ((proof (Ip =<F> q => p <->F* q I -proof p q F))) 

(implies (cuid (k-polynomialp p) (k-polynomialp q) (k-polynomialsp F) 
(=<> p q F)) 

(<->* p q proof F))) 

(defthm Ip <->F* q => p =<F> q| 

(implies (and (k-polynomialp p) (k-polynomialp q) (k-polynomialsp F) 
(<->* p q proof F)) 

(=<> p q F))) 

These two theorems establish that it is possible to obtain a sequence of proof 
steps justifying that p q from a list of coefficients justifying that p — qG (F), 
and vice versa. The expression (Ip =<F> q => p <->F* q| -proof p q F) ex- 
plicitly computes such proof, in a recursive way. This is typical in our develop- 
ment: in many subsequent Acl2 theorems, the proof argument in <->* or ->* 
will be locally-bound (through a let or let* form) to a function computing 
the necessary proof steps. As these functions are rather technical and it would 
take long to explain them, we will omit their definitions. But it is important to 
remark this constructive aspect of our formalization. 

Next, we proceed to prove the Noetherianity of the reduction relation. In the 
sequel, < represents the polynomial ordering whose well-foundedness was proved 
in [9]®. This ordering can be used to state the Noetherianity of the polynomial 
reduction. For this purpose, it suffices to prove that the application of a valid 
operator to a polynomial produces a smaller polynomial with respect to this 
well-founded relation: 

(defthm |validp(p, o, F) => reduction(p, o) < p| 

(implies (and (k-polynomialp p) (k-polynomialsp F)) 

(implies (validp p o F) (< (reduction p o) p)))) 

As a consequence of Noetherianity we can define the notion of normal form. 

Definition 5. A polynomial p is in normal form or is irreducible w.r.t. if 
there is no q such that p -^f q- Otherwise, p is said to be reducible. A polynomial 
q is a normal form of p w.r.t. -^f if P —>-f 9 9 irreducible w.r.t. —>^f- 

® As it is customary in Acl 2, this is proved by means of an ordinal embedding into cq . 
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The notion of normal form of a polynomial can be easily defined in our 
framework. First, we define a function reducible, implementing a reducibility 
test: when applied to a polynomial p and to a list of polynomials F, it returns 
a valid operator, whenever it exists, or nil otherwise. The following theorems 
state the main properties of reducible: 

(defthm I reducibleCp, F) => validpCp, reducibleCp, F) , F) I 
(implies (reducible p F) 

(validp p (reducible p F) F))) 

(defthm I “reducible (p, F) => “validp(p, o, F) I 
(implies (not (reducible p F)) 

(not (validp p o F)))) 

Now it is easy to define a function nf that computes a normal form of a given 
polynomial with respect to the reduction relation induced by a given list of poly- 
nomials. This function is simple: it iteratively tests reducibility and applies valid 
operators until an irreducible polynomial is found. Note that termination is guar- 
anteed by the Noetherianity of the reduction relation and the well-foundedness 
of the polynomial ordering. 

(defun<k> nf (p F) 

(if (and (k-polynomialp p) (k-polynomialsp F)) 

(let ((red (reducible p F))) 

(if red (nf (reduction p red) F) p)) 

p)) 

The following theorems establish that, in fact, nf computes normal forms. 
Again, in order to prove that p nf p{p), we have to explicitly define a func- 
tion Ip ->F* nf (p, F) I -proof which construct a proof justifying this. This 
function is easily defined by collecting the operators returned by reducible. 

(defthm Ip ->F* nf(p, F) I 

(let ((proof (Ip ->F* nf(p, F)|-proof p F))) 

(implies (and (k-polynomialp p) (k-polynomialsp F)) 

(->* p (nf p F) proof F)))) 

(defthm |nf(p, F) irreducible I 

(implies (and (k-polynomialp p) (k-polynomialsp F)) 

(not (validp (nf p F) o F)))) 

Although nf is suitable for reasoning about normal form computation, it is 
not suitable for being used by an implementation of Buchberger’s algorithm: for 
example, nf explicitly deals with operators, which are a concept of theoretical 
nature. At this point, we talk about the polynomial reduction function red*p 
used in Buchberger’s algorithm. This function (whose definition we omit) do not 
make any use of operators but is modeled from the closure of the set extension 
of another function, red, which takes two polynomials as its input and returns 
the result of reducing the first polynomial with respect to the second one. The 
following theorem shows the equivalence between nf p and redp: 
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(defthm |nf(p, F) = red*(p, F) I 

(implies (and (k-polynomialp p) (k-polynomialsp F)) 

(equal (nf p F) (red* p F)))) 

With this result, we can translate all the properties proved about nf to red*. 
This is typical in our formalization: we use some functions for reasoning, and 
other functions for computing, translating the properties from one to another by 
proving equivalence theorems. For example, we proved the stability of the ideal 
with respect to red* using this technique. 

5 Grobner Bases 

The computation of normal forms with respect to a given ideal can be seen as a 
generalized polynomial division algorithm, and the normal form computed as the 
“remainder” of that division. The ideal membership problem can be solved taking 
this into account: compute the normal form and check for the zero polynomial. 
Unfortunately, it is possible that, for a given basis F, a polynomial in {F) cannot 
be reduced to the zero polynomial. This is where Grobner bases come into play: 

Definition Q. G is a Grobner basis of the ideal generated by F if (G) = (F) 
and p € (G) p 0. 

The key point in Buchberger’s algorithm is that the property of being a 
Grobner basis can be deduced by only checking that a finite number of polyno- 
mials (called s-polynomials) are reduced to zero: 

Definition 7 . Let p and q be polynomials. Let m, m\ and m2 be monomials such 
that m = lcm(lm(p), lm{q)) and mi • lm{p) = m = m2 • lm{q). The s-polynomial 
induced by p and q is defined as s-poly{p, q) = m\ ■ p — m2 ■ q 

Theorem 1 . Let d>{F) = Vp, g G F s-poly{p,q) 0. The reduction induced 
by F is locally confluent if d>{F) is verified. That is: 

<P{F) Vp, q, r (r P^r q 3s (p ^*p s Aq ^*p s)) 

This theorem was the most difficult to formalize and prove in our work. First, 
note that it cannot be stated as a single theorem in the quantifier-free Acl2 logic, 
due to the universal quantifier in its hypothesis, d>{F). For this reason, we state 
its hypothesis by the following encapsulate (we omit the local witnesses and 
some nonessential technical details): 

(encapsulate 

((F 0 t) (s-polynomial -proof (p q) t)) 

(defthm I Phi (F) I 

(let ((proof (s-polynomial -proof p q))) 

(and (k-polynomials (F)) 

(implies (and (inO p (F)) (inO q (F))) 

(->* (s-poly p q) (|0|) proof (F))))) 
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The first line of this encapsulate presents the signature of the functions it in- 
troduces, and the theorem inside can be seen as an assumed property about these 
functions. In this case, we are assuming that we have a list of polynomials given 
by the 0-ary function F, with the property that every s-polynomial formed with 
pairs of elements of (F) is reduced to ( I 0 I ) . This reduction is justified by a func- 
tion s-polynomial-proof computing the corresponding sequence of proof steps 
representing the reduction to ( I 0 1 ) . We insist that F and s-polynomial-proof 
are not completely defined: we are only assuming |Phi(F) I about them. 

Now, the conclusion of Th. 1 is established as follows: 

(defthm |Phi(F) => local-conf luence (->F) I 

(let ((proof2 (trEuisf orm-local-peak-F proofl))) 

(implies (cuid (k-polynomial p) (k-polynomial q) 

(<->* p q proofl (F)) (local -peakp proofl)) 

(and (<->* p q proof 2 (F)) (valleyp proof2))))) 

This theorem needs some explanation. Note that local confluence can be 
reformulated in terms of the “shape” of the involved proofs: a reduction is 
locally confluent if, and only if, for every local peak proof (that is, of the 
form p <— r ^ q) there exists an equivalent valley proof (that is, of the form 
p A s g). It is easy to define in Acl 2 the functions local-peakp and valleyp, 
checking those shapes of proofs. Note that again due to the absence of existen- 
tial quantification, the valley proof in the above theorem is given by a function 
transf orm-local-peak-F, such that from a given local peak proof, it computes 
an equivalent valley proof. The definition of this function is very long and follows 
the same case distinction as in the classical proof of this result; only in one of 
its cases (the one dealing with “overlaps”), s-polynomial-proof is used as an 
auxiliary function, reflecting in this way where the assumption about ^{F) is 
necessary. 

The last step in this section follows from general results of abstract reduction 
relations. In particular, if a reduction is locally confluent and Noetherian then 
its induced equivalence can be decided by checking if normal forms are equal. 
This has been proved in Acl 2 [11] as a consequence of Newman’s lemma, also 
proved there. We can reuse this general result by functional instantiation and 
obtain an Acl 2 proof of the fact that, if ^{F), p q nf p{p) = nf p{q). 

With this result, and using the equality between nf p and red*p, and the 
equality between ={p) and ^p, it can be easily deduced that if d>{F) then F is 
a Grobner basis (of (F)). This is established by the following theorem (notice 
that (F) is still the list of polynomials assumed to have property by the above 
encapsulate): 

(defthm |Phi(F) => (p in <F> <=> red*(p, F) =0)1 
(implies (k-polynomial p) 

(iff (inO p (F)) (equal (red* p (F)) (|0|))))) 



6 Buchberger’s Algorithm 

Buchberger’s algorithm obtains a Grobner basis of a given finite set of polyno- 
mials F by the following procedure: if there is a s-polynomial of F such that its 
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normal form is not zero, then this normal form can be added to the basis. This 
makes it reducible to zero (without changing the ideal), but new s-polynomials 
are introduced that have to be checked. This completion process is iterated until 
all the s-polynomials of the current basis are reducible to zero. 

In order to formalize an executable implementation of Buchberger’s algorithm 
in Acl2, several helper functions are needed. The function initial-pairs re- 
turns all the ordered pairs from the elements of a list. The main function com- 
putes the initial pairs from a basis and starts the real computation process. 

(defun Buchberger (F) 

(Buchberger-aux F (initial -pairs F))) 

Next, the function that computes a Grobner basis from an initial basis is 
defined. This function takes the initial basis and a list of pairs as its input. The 
function pairs returns the ordered pairs built from its first argument and every 
element in its second argument. As all Acl 2 functions must be total and we 
need to deal with polynomials with a fixed set of variables to ensure termination 
of the function, we have to explicitly check that the arguments remain in the 
correct domain. We will comment more about these “type conditions” in Sect. 7. 

(defun<k> Buchberger-aux (F C) 

(if (and (naturalp k) (k-polynomialsp F) (k-polynomial-pairsp C) ) 

(if (endp C) 

F 

(let* ((p (first (first C))) (q (second (first C))) 

(h (red* (s-poly p q) F))) 

(if (equal h ( I 0 I ) ) 

(Buchberger-aux F (rest C) ) 

(Buchberger-aux (cons h F) (append (pairs h F) (rest C)))))) 

F)) 

A measure has to be supplied to prove the termination of the above function, 
so that it can be admitted by the principle of definition. The following section 
explains this issue. 



6.1 Termination 

Termination of Buchberger’s algorithm can be proved using a lexicographic mea- 
sure on its arguments. This is justified by the following observations: 

1. In the first recursive branch, the first argument keeps unmodified while the 
second argument structurally decreases since one of its elements is removed. 

2. In the second recursive branch, the first argument decreases in a certain 
well-founded sense despite of the inclusion of a new polynomial. This is a 
consequence of Dickson’s lemma. 

Lemma 1 (Dickson). Let k and mi, m 2 , ... an infinite sequence of mono- 
mials with k variables. Then, there exist indiees i < j such that mi divides mj. 
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If we consider the sequence of terms consisting of the leader terms of the 
polynomials added to the first argument, Dickson’s lemma implies termination 
of Buchberger’s algorithm. This is because the polynomial added to the basis, 
h, is not 0 and it cannot be reduced by F. Consequently, its leader term is not 
divisible by any of the leader terms of the polynomials in F. 

Dickson’s lemma has been formalized in Acl2 in [7] and [12]. In both cases 
it has been proved by providing an ordinal measure on finite sequences of terms 
such that this measure decreases every time a new term not divisible by any of 
the previous terms in the sequence is added. 

We have defined a measure along these lines to prove the termination of 
Buchberger’s algorithm. In fact, our measure is defined on top of the measures 
used to prove Dickson’s lemma in [7,12], lexicographically combined with the 
length of the second argument. Although both proofs of Dickson’s lemma are 
based on totally different ideas, the results obtained can be used interchangeably 
in our formalization. 



6.2 Partial Correctness 

In order to show that Buchberger computes a Grobner basis, and taking into ac- 
count the results of the previous section, we just have to prove that p € {F) 
p G {Buchberger {F)) and that Buchberger(F) satisfies The following Acl2 
theorems establish these two properties: 

(defthm I <Buchberger (F) > = <F> I 

(implies (and (k-polynomialp p) (k-polynomialsp F)) 

(iff (inO p (Buchberger F)) (inO p F)))) 

(defthm I Phi (Buchberger (F)) I 

(let ((G (Buchberger F)) (proof ( I Phi (Buchberger (F) ) I -proof p q F))) 
(implies (and (k-polynomialp p) (k-polynomialp q) (k-polynomialsp F) 
(inO p G) (inO q G)) 

(->* (s-poly p q) (|0|) proof G)))) 

The statement of this last theorem deserves some comments. Our Acl2 for- 
mulation of Th. 1 defines the property <P{F) as the existence of a function such 
that for every s-polynomial of F, it computes a sequence of proof steps justi- 
fying its reduction to (|0|) (assumption |Phi(F) I in the encapsulate of the 
previous section). Thus, if we want to establish the property ^ for a particular 
basis (the basis returned by Buchberger in this case), we must explicitly define 
such function and prove that it returns the desired proofs for every s-polynomial 
of the basis. In this case the function is called I Phi (Buchberger (F)) I -proof . 
For the sake of brevity, we omit the definition of this function, but it is very 
interesting to point out that it is based in a recursion scheme very similar to 
the recursive definition of Buchberger-aux. This function collects, every time a 
new s-polynomial is examined, the corresponding proof justifying its reduction 
to the zero polynomial. 
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6.3 Deciding Ideal Membership 

Finally, we can compile the results above to define a decision procedure for ideal 
membership. This procedure just checks whether a given polynomial reduces to 
0 with respect to the Grobner basis returned by Buchberger’s algorithm. 

(defun<k> imdp (p F) 

(equal (red* p (Buchberger F)) (|0|))) 

Theorem 2. G = Buchberger{F) {p G (F) red*Q{p) = 0). 

The Acl2 theorem stating the soundness and completeness of the decision 
procedure follows, as an easy consequence of the correctness of Buchberger and 
the theorem |Phi(F) => (p in <F> <=> red*(p, F) =0)1 in Sect. 5. 

(defthm Ip en <F> <=> imdp(p, F) I 

(implies (and (k-polynomialp p) (k-polynomialsp F)) 

(iff (inO p F) (imdp p F)))) 

In this context, the theorem I Phi (F) => (p in <F> <=> red*(p, F) =0)1 
is used by functional instantiation, replacing F by (lambda () (Buchberger F)) 
and s-polynomial-proof by I Phi (Buchberger (F) ) I -proof . 

Note that all the functions used in the definition of the decision procedure are 
executable and therefore the procedure is also executable. Note also that we do 
not mention operators or proofs, neither when defining the decision procedure 
nor when stating its correctness. These are only intermediate concepts, which 
make reasoning more convenient. 

7 Conclusions 

We have shown how it is possible to use the Acl2 system in the formal develop- 
ment of Computer Algebra algorithms by presenting a verified implementation 
of Buchberger’s algorithm and a verified decision procedure for the ideal mem- 
bership problem. It is interesting to point out that all the theory needed to prove 
the correctness of the algorithm has been developed in the Acl2 logic, in spite 
of its (apparently) limited expressiveness. 

We have benefited from work previously done in the system. In particular, 
all the results about abstract reductions were originally developed for a formal- 
ization of rewriting systems [11]. We believe that this is a good example of how 
seemingly unrelated formalizations can be reused in other projects, provided the 
system offers a minimal support for it. However, we feel that Acl2 could be 
improved to provide more comfortable mechanisms for functional instantiation 
and for abstraction in general. Encapsulation provides a good abstraction mech- 
anism but functionally instantiating each encapsulated theorem is a tedious and 
error-prone task. Recently, several proposals have been formulated (e.g. poly- 
morphism and abstract data types) to cope with this problem in Acl2 ®. A 
graphical interface to visualize proof trees would be helpful too. 



A similar modularity issue has been reported in the COQ system too [13]. 
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Little work has been done on the machine verification of Buchberger’s al- 
gorithm. As we mentioned in the introduction, the most relevant is the work 
of L. Thery [13] in COQ. T. Coquand and H. Persson [3] report an incomplete 
integrated development in Martin-Lof’s type theory using Agda. There is also a 
Mizar project [10] to formalize Grobner bases. The main difference between our 
approach and these works is the underlying logic. All these logics are very differ- 
ent from Acl2, which is more primitive, basically an untyped and quantifier-free 
logic of total recursive functions, and makes no distinction between the program- 
ming and the specification languages. In exchange, a high degree of automation 
can be achieved and executability is obtained for free. 

We think that an advantage of our approach is that the implementation 
presented is compliant with Common Lisp, a real programming language, and 
can be directly executed in Acl2 or in any compliant Common Lisp. This is 
not the case of other systems, where the logic is not executable at all or the code 
has to be extracted by unverified means. Taking into account that Lisp is the 
language of choice for the implementation of CAS, like Macsyma and Axiom, 
this is not just a matter of theoretical importance but also a practical one. 

Our formal proof differs from Thery’s. First, it is based on [1] instead of [4]. 
Second, we prove that ^ implies local-confluence instead of confluence: compare 
this with the proof of SpolyImpConf in [13]. Differences extend also to defi- 
nitions, e.g. ideals and confluence, mainly motivated by the lack of existential 
quantification. Finally, [13] uses a non-constructive proof of Dickson’s lemma by 
L. Pettier^. Our termination argument uses a proof of Dickson’s lemma obtained 
by an ordinal embedding in cq, the only well-founded structure known to Acl2. 

We would like to remark that although polynomial properties seem trivial to 
prove, this is not the case [8,9]. It seems that this is not due to the simplicity 
of the Acl 2 logic. In [10] the authors recognize that it was challenging to prove 
the associativity of polynomial multiplication in Mizar, a system devoted to the 
formalization of mathematics. They were amazed by the fact that, in well-known 
Algebra treatises, these properties are usually reduced to the univariate case or 
their proofs are partially sketched and justified “by analogy”. In some cases, 
the proofs are even left as an exercise. In the same way, the author of [13] had 
to devote a greater effort to polynomials due to problems arising during their 
formalization in COQ. 

As for the user interaction required, we provided 169 definitions and 560 
lemmas to develop a theory of polynomials (although this includes more than 
the strictly needed here) and 109 definitions and 346 lemmas for the theory of 
Grobner bases and Buchberger’s algorithm. All these lemmas are proved almost 
automatically. It is worth pointing out that of the 333 lemmas proved by induc- 
tion, only 24 required a user-supplied induction scheme. Other lemmas needed a 
hint about the convenience of using a given instance of another lemma or keep- 
ing a function definition unexpanded. Only 9 functions required a hint for their 
termination proofs. Thus, the main role of the user is to provide the suitable 
sequence of definitions and lemmas to achieve the final correctness theorem. 

^ A new proof of Dickson’s lemma in COQ by H. Persson has been proposed later. 
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Thery’s implementation provides some standard optimizations that we do not 
include. Regarding future work, we are interested in studying how our verified 
implementation could be improved to incorporate some of the refinements built 
into the very specialized and optimized (and not formally verified) versions used 
in industrial-strength applications. It would be also interesting to use it to verify 
some application of Grobner bases such as those described in [2] . 

An obvious improvement in the verified implementation is to avoid the “type 
conditions” in the body of Buchberger-aux, since these conditions are unnec- 
essarily evaluated in every recursive call. But these conditions are needed to 
ensure termination. Until Acl2 version 2.7, there was no way to avoid this; but 
since the recent advent of Acl2 version 2.8 that is no longer true, since it is 
possible for a function to have two different bodies, one used for execution and 
another for its logical definition: this is done by previously proving that both 
bodies behave in the same way on the intended domain of the function. We plan 
to apply this new feature to our definition of Buchberger’s algorithm. 
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Abstract. Polynomial interpretations are a useful technique for proving 
termination of term rewrite systems. We show how polynomial interpre- 
tations with negative coefficients, like x — 1 for a unary function symbol 
or X — y for a binary function symbol, can be used to extend the class of 
rewrite systems that can be automatically proved terminating. 



1 Introduction 

This paper is concerned with automatically proving termination of first-order 
rewrite systems by means of polynomial interpretations. In the classical ap- 
proach, which goes back to Lankford [16], one associates with every n-ary func- 
tion symbol / a polynomial Pf over the natural numbers in n indeterminates, 
which induces a mapping from terms to polynomials in the obvious way. Then 
one shows that for every rewrite rule I —>■ r the polynomial Pi associated with 
the left-hand side I is strictly greater than the polynomial Pr associated with the 
right-hand side r, i.e., P; — > 0 for all values of the indeterminates. In order to 

conclude termination, the polynomial Pf associated with an n-ary function sym- 
bol / must be strictly monotone in all n indeterminates. Techniques for finding 
appropriate polynomials as well as approximating (in general undecidable) poly- 
nomial inequalities P > 0 are described in several papers (e.g. [4, 6, 9, 15, 19]). 
As a simple example, consider the rewrite rules 

a;-|-0^a: xxO— >0 

X + s{y) s{x + y) x x s{y) ^ {x x y) + x 

Termination can be shown by the strictly monotone polynomial interpretations 

x^{x,y) = 2xy + y + 1 +f<s{x,y) = x + 2y sn(x) = x -b 1 On = 1 

over the natural numbers: 

X + 2 > X 2x + 2 > 1 

x + 2y + 2>x + 2y+l 2xy + 2x + y + 2> 2xy + 2x + y + \ 

Compared to other classical methods for proving termination of rewrite sys- 
tems (like recursive path orders and Knuth-Bendix orders), polynomial interpre- 
tations are rather weak. Numerous natural examples cannot be handled because 
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of the strict monotonicity requirement which precludes interpretations like x + 1 
for binary function symbols. In connection with the dependency pair method 
of Arts and Giesl [1], polynomial interpretations become much more useful be- 
cause strict monotonicity is no longer required; weak monotonicity is sufficient 
and hence x -I- 1 or even 0 as interpretation of a binary function symbol causes 
no problems. Monotonicity is typically guaranteed by demanding that all coef- 
ficients are positive. 

In this paper we go a step further. We show that polynomial interpretations 
over the integers with negative coefficients like x — 1 and x — y + 1 can also 
be used for termination proofs. To make the discussion more concrete, let us 
consider a somewhat artificial example: the recursive definition 

/(x) = if X > 0 then /(/(x — 1)) -I- 1 else 0 

from [8]. It computes the identity function over the natural numbers. Termina- 
tion of the rewrite system 

1: f(s(x)) ^ s(f(f(p(s(x))))) 2: f(0) ^ 0 3: p(s(x)) ^ x 

obtained after the obvious translation is not easily proved. The (manual) proof in 
[8] relies on forward closures whereas powerful automatic tools like AProVE [11] 
and CiME [5] that incorporate both polynomial interpretations and the depen- 
dency pair method fail to prove termination. There are three dependency pairs 
(here f** and p** are new function symbols): 

4: f**(s(x)) ^ f**(f(p(s(x)))) 5: f*(s(x)) ^ f*(p(s(x))) 6: f**(s(x)) ^ p**(s(x)) 

By taking the natural polynomial interpretation 

fz(x) = f^(x) = X Sz(x)=x+1 Oz = 0 Pz(x) = p|(x) = X - 1 

over the integers, the rule and dependency pair constraints reduce to the follow- 
ing inequalities: 

l:x-|-l^x-|-l 3: x^x 5:x-|-l>x 

2: 0^0 4:x-|-l>x 6:x-|-l>x 

These constraints are obviously satisfied. The question is whether we are al- 
lowed to conclude termination at this point. We will argue that the answer is 
affirmative and, moreover, that the search for appropriate natural polynomial 
interpretations can be efficiently implemented. 

The approach described in this paper is inspired by the combination of the 
general path order and forward closures [8] as well as semantic labelling [24]. 
Concerning related work, Lucas [17, 18] considers polynomials with real coef- 
ficients for automatically proving termination of (context-sensitive) rewriting 
systems. He solves the problem of well-foundedness by replacing the standard 
order on K with >s for some fixed positive <5 G M: x >5 y if and only \i x — y ^ 5. 
In addition, he demands that interpretations are uniformly bounded from below 
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(i.e., there exists an m G K such that , Xn) ^ m for all function symbols 

/ and xi,. . . ,Xn ^ m). The latter requirement entails that interpretations like 
X— 1 or x — y+1 cannot be handled. 

The remainder of the paper is organized as follows. In Section 3 we discuss 
polynomial interpretations with negative constants. Polynomial interpretations 
with negative coefficients require a different approach, which is detailed in Sec- 
tion 4. In Section 5 we discuss briefly how to find suitable polynomial interpreta- 
tions automatically and we report on the many experiments that we performed. 

2 Preliminaries 

We assume familiarity with the basics of term rewriting [3, 21] and with the 
dependency pair method [1] for proving (innermost) termination. In the latter 
method a term rewrite system (TRS for short) is transformed into a collection 
of ordering constraints of the form I > r and I > r that need to be solved in 
order to conclude termination. Solutions (^, >) must be reduction pairs which 
consist of a rewrite preorder > (i.e., a transitive and reflexive relation which 
is closed under contexts and substitutions) on terms and a compatible well- 
founded order > which is closed under substitutions. Compatibility means that 
the inclusion > • > C > or the inclusion > • > C > holds. (Here • denotes 
relational composition.) 

A general semantic construction of reduction pairs, which covers traditional 
polynomial interpretations, is based on the concept of algebra. If we equip the 
carrier A of an iF-algebra A = (A, {/^}/g;r) with a well-founded order > such 
that every interpretation function is weakly monotone in all arguments (i.e., 
fA{xi,. .. ,x„) ^ fAivu ■■■,Vn) whenever x* ^ yi for all 1 ^ z < n, for every n- 
ary function symbol f £ T) then (^^, >^) is a reduction pair. Here the relations 
and >A are defined as follows: s ^,4 t if [a]_ 4 (s) ^ [o;]_ 4 (t) and s >a t if 
[a]yl(s) > [o;]yi(t), for all assignments a of elements of A to the variables in s 
and t ([a]^(-) denotes the usual evaluation function associated with the algebra 
A). In general, the relation >a is not closed under contexts, ~^a is a preorder 
but not a partial order, and >_4 is not the strict part of Compatibility holds 
because of the identity • >a = >A- We write s =a t if [a]yi(s) = [a]A{t) 
for all assignments a. We say that A is a model for a TRS TZ if I =a r for all 
rewrite rules in TZ. 

In this paper we use the following results from [10] concerning dependency 
pairs. 

Theorem 1. A TRS TZ is terminating if for every cycle C in its dependency 
graph there exists a reduction pair (>, >) such that TZ C >, C C >\J>, and 

C n > yf 0. □ 

Theorem 2. A TRS TZ is innermost terminating if for every cycle C in its in- 
nermost dependency graph there exists a reduction pair (>, >) such that U{C) C 
>, C C>\J>, and Cr\> ^ 0. □ 
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3 Negative Constants 

3.1 Theoretical Framework 

When using polynomial interpretations with negative constants like in the ex- 
ample of the introduction, the first challenge we face is that the standard order 
> on Z is not well-founded. Restricting the domain to the set N of natural 
numbers makes an interpretation like pz(x) = x — 1 ill-defined. Dershowitz and 
Hoot observe in [8] that if all (instantiated) subterms in the rules of the TRS 
are interpreted as non-negative integers, such interpretations can work correctly. 
Following their observation, we propose to modify the interpretation of p to 
Pn(x) = maxjO, x — 1}. 

Definition 3. Let T he a signature and let (Z, {/z}/g^) he an iF-algehra such 
that every interpretation function f% is weakly monotone in all its arguments. 
The interpretation functions of the induced algebra {fn} are defined as 
follows: fn{xi,. .. ,Xn) = maxjO, /z(xi, . . . ,a;„)} for all xi, . . . , a;„ € N. 

With respect to the interpretations in the introduction we obtain sn(pn( 2 ;)) = 
maxjO, maxjO, a; — 1} -I- 1} = max{0,a; — 1} -I- 1, Pn(On) = max{0,0} = 0, and 
Pn(sn(x)) = maxjO, maxjO, a: -I- 1} — 1} = x. 

Lemma 4. If {X,{fi} is an iF-algehra with weakly monotone interpreta- 
tions then (^N, >n) is a reduction pair. 

Proof. It is easy to show that the interpretation functions of the induced alge- 
bra are weakly monotone in all arguments. Routine arguments reveal that the 
relation >n is a well-founded order which is closed under substitutions and that 
is a preorder closed under contexts and substitutions. Moreover, the identity 
>N • = >N holds. Hence (^Nj >n) is a reduction pair. □ 

It is interesting to remark that unlike usual polynomial interpretations, the 
relation >n does not have the (weak) subterm property. For instance, with re- 
spect to the interpretations in the example of the introduction, we have s(0) >n 
p(s(0)) and not p(s(0)) >n p(0). 

In recent modular refinements of the dependency pair method [23, 13, 22] 
suitable reduction pairs (>,>) have to satisfy the additional property of Cg- 
compatihility: > must orient the rules of the TRS Cs consisting of the two 
rewrite rules cons(a;, y) —>■ x and cons(x, y) —>■ y, where cons is a fresh func- 
tion symbol, from left to right. This is not a problem because we can simply 
define consN(x,y) = max{a;,y}. In this way we obtain a reduction pair (^,;^) 
on terms over the original signature extended with cons such that ^ U C ^ 
and > C 

Example 5. Consider the TRS consisting of the following rewrite rules: 

half(O) ^ 0 4: bits(O) ^ 0 

half(s(0)) ^0 5: bits(s(x)) — > s(bits(half(s(x)))) 

half(s(s(x))) — > s(half(x)) 



1 

2 

3 
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The function half(x) computes ] and bits(a;) computes the number of bits that 
are needed to represent all numbers less than or equal to x. Termination of this 
TRS is proved in [2] by using the dependency pair method together with the 
narrowing refinement. There are three dependency pairs: 

6: half**(s(s(a;))) — > half**(a;) 

7: bits**(s(x)) ^ bits**(half(s(x))) 

8: bits** (s(x)) —> half** (s(x)) 

By taking the interpretations Oz = 0, halfz(a;) = x — 1 , bitsz(a;) = half|(a;) = x, 
and Sz(x) = b\\.s\^{x) = x + 1, we obtain the following constraints over N: 



1 : 0^0 

2 : 0^0 

3: X + 1 ^ max{0, X — 1} + 1 

4: 0 0 



5: x+l^x+1 

6: X + 2 > X 

7: x + 2>x + l 

8: x + 2>x + l 



These constraints are satisfied, so the TRS is terminating, but how can an in- 
equality like X -b 1 ^ max{0, x — 1} -b 1 be verified automatically? 



3.2 Towards Automation 

Because the inequalities resulting from interpretations with negative constants 
may contain the max operator, we cannot use standard techniques for comparing 
polynomial expressions. In order to avoid reasoning by case analysis (x — 1 > 0 
or X — 1 ^ 0 for constraint 3 in Example 5), we approximate the evaluation 
function of the induced algebra. 

Definition 6. Given a polynomial P with coefficients in Z, we denote the con- 
stant part hy c{P) and the non- constant part P — c{P) byn{P). Let (Z, {/z}/gjF) 
he an T-algehra such that every /z is a weakly monotone polynomial. With every 
term t we associate polynomials Pieftit) and Pright{t) with coefficients in Z and 
variables in t as indeterminates: 

{ t if t is a variable 

0 ift = f(fi, ■ ■ -,tn), n{Pi) = 0, and c(Pi) < 0 
Pi otherwise 

where Pi = fz{Pieft{ti), Pieftifn)) and 

{ t if t is a variable 

n{P 2 ) if t = ffti, . . . ,tn) and c{P 2 ) <0 
P 2 otherwise 

where P 2 = fz{Pright{ti), . . . , Prightftn)) ■ Let a: V ^ N be an assignment. The 
result of evaluating Pieft{t) and Pright{t) under a is denoted by [a]z(^) and 
[a]g(t). The result of evaluating a polynomial P under a is denoted by a{P). 
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According the following lemma, Pieft {t) is a lower bound and Fright {t) is an 
upper bound of the interpretation of t in the induced algebra. 

Lemma 7. Let (Z, {/z}/g;r) he an F -algebra such that every /z is a weakly 
monotone polynomial. Let t he a term. For every assignment a: V ^ N we have 

[«]zW ^ NnW ^ HzW- 

Proof. By induction on the structure of t. If t G V then [a]^{t) = [o;]z(^) = 
a{t) = [o;]N(t). Suppose t = f{ti, . . . ,t„). According to the induction hypothesis, 
[a]^{ti) ^ ^ [a]g(ti) for all i. Since /z is weakly monotone, 

/z(Hz(^i)) • ■ • : h{[a]n{ti), ..., [a]n{tn))^ h{[a]‘z{ti), ■ • ■ , Nk^n)) 

By applying the weakly monotone function max{0, •} we obtain max{0, a{P 2 )} ^ 
[a]n{t) ^ max{0,a(Pi)} where Pi = fi.{Pieft{ti), Pieft (tn)) and P2 = 
fz{Pright (^ 1 ) ; ■ ■ ■ 7 Fright (fn))- have 



Kit) 



0 if n{Pi) = 0 and c{Pi) < 0 
a (Pi) otherwise 



and thus [a]z(t) < max{0, a(Pi)}. Likewise, 



Kit) 



a{n{P2)) if c(P2) < 0 
Of(P 2 ) otherwise 



In the former case, a{n{P 2 )) = a{P 2 ) — c{P 2 ) > a{P 2 ) and a{n{P 2 )) ^ 0. In the 
latter case a(P 2 ) ^ 0. So in both cases we have [a]^{t) ^ max{0, a{P 2 )}. Hence 
we obtain the desired inequalities. □ 



Corollary 8. Let (Z, {/z}/gip) be an F -algebra such that every f% is a weakly 
monotone polynomial. Let s and t be terms. If Pieftis) — Pnghtit) > 0 then s >n t. 
If Pieft is) Prightit) ^ 0 then S t. D 

Example 9. Consider again the TRS of Example 5. By applying Pieft to the 
left-hand sides and Fright to the right-hand sides of the rewrite rules and the 
dependency pairs, the following ordering constraints are obtained: 



1: 0^0 3: x + 1 ^ x + 1 5: x + 1 ^ x + 1 7: x + 2 > x + 1 

2: 0^0 4: 0^0 6: x + 2>x 8: x + 2>x + l 



The only difference with the constraints in Example 5 is the interpretation of 
the term s(half(a;)) on the right-hand side of rule 3. We have Prig/it (half(x)) = 
n{x — 1) = X and thus Pr^g/it (s(half(a;))) = x -I- 1. Although x -I- 1 is less precise 
than max{0,x — 1} -I- 1, it is accurate enough to solve the ordering constraint 
resulting from rule 3. 

So once the interpretations /z are determined, we transform a rule I —>■ r 
into the polynomial Piepil) — Prightif). Standard techniques can then be used 
to test whether this polynomial is positive (or non-negative) for all values in N 
for the variables. The remaining question is how to find suitable interpretations 
for the function symbols. This problem will be discussed in Section 5. 
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4 Negative Coefficients 



Let us start with an example which shows that negative coefficients in polynomial 
interpretations can be useful. 

Example 1 0. Consider the following variation of a TRS in [2] : 



1 


0 < a; - 


true 


7: 


a; — 0 


X 


2 


s(a;) ^ 0 - 


false 


8: 


s(a:) - s(y) 


x-y 


3 


s(a;) < s{y) - 


X ^ y 


9: 


if (true, a;, y) 


X 


4 


mod(0,s(y)) - 


0 


10: 


if(false, X, y) 


y 


5 


mod(s(a;), 0) - 


0 








6 


mod(s(a;),s(y)) - 


if(y ^ X, 


mod(s(a;) 


-s(y),s(y)). 


s{x)) 



There are 6 dependency pairs: 



11 


s(a;) s(y) - 


x y 


12 


s(a;) -•* s(y) - 


^ x y 


13 


mod**(s(a;), s(y)) - 


-> if**(y ^ X, mod(s(a;) 


14 


mod“‘(s(a;),s(y)) - 


-> y a; 


15 


mod“(s(a;),s(y)) - 


-> mod**(s(a;) — s(y), s 


16 


mod**(s(a;), s(y)) - 


-> s(x) s(y) 



Since the TRS is non-overlapping, it is sufficient to prove innermost termination. 
The problematic cycle in the (innermost) dependency graph is C = {15}. The 
usable rewrite rules for this cycle &veU{C) = (7, 8}. We need to find a reduction 
pair (>, >) such that rules 4 and 5 are weakly decreasing (i.e., compatible with >) 
and dependency pair 15 is strictly decreasing (with respect to >). The only way 
to achieve the latter is by using the observation that s(x) is semantically greater 
than the syntactically larger term s(x)—s(y). If we take the natural interpretation 
— z(x, y) = X — y, sz{x) = x — 1, and Oz = 0, together with mod'^j_{x, y) = x then 
we obtain the following ordering constraints over the natural numbers: 



7: x^x 8: maxjO, a: — y} ^ maxjO, a: — y} 15: a; -I- 1 > maxjO, a; — y} 



4.1 Theoretical Framework 

The constraints in the above example are obviously satisfied, but are we allowed 
to use an interpretation like —z{x,y) = x — y in (innermost) termination proofs? 
The answer appears to be negative because Lemma 4 no longer holds. Because 
the induced interpretation — n(x, y) = maxjO, a; — y| is not weakly monotone in 
its second argument, the order of the induced algebra is not closed under 
contexts, so if s t then it may happen that C'[s] C[t\. Consequently, 

we do not obtain a reduction pair. However, if we have s =n t rather than 
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s t, closure under contexts is obtained for free. So we could take (=n, >n) 
as reduction pair. This works fine in the above example because the induced 
algebra is a model of the set of usable rules {7,8} and >n orients dependency 
pair 15. However, requiring that all dependency pairs in a cycle are compatible 
with =nU>n is rather restrictive because dependency pairs that are transformed 
into a polynomial constraint of the form or x + 2y^x + y cannot be 

handled. So we will allow for the orientation of dependency pairs in a cycle 
C but insist that at least one dependency pair in C is compatible with >n. (Note 
that the relation =n U >n is properly contained in ^n.) The theorems below 
state the soundness of this approach in a more abstract setting. The proofs 
are straightforward modifications from the ones in [13]. The phrase “there are 
no minimal C-rewrite sequences” intuitively means that if a TRS TZ is non- 
terminating then this is due to a different cycle of the dependency graph. 

Theorem 11. Let TZ he a TRS and let C he a cycle in its dependency graph. If 
there exists an algebra A equipped with a well-founded order > such that TZ C =_^, 
C C and C n >_a. 0 then there are no minimal C-rewrite sequences. □ 

In other words, when proving termination, a cycle C of the dependency graph 
can be ignored if the conditions of Theorem 11 are satisfied. A similar statement 
holds for innermost termination. 

Theorem 12. Let TZ he a TRS and let C he a cycle in its innermost dependency 
graph. If there exists an algebra A equipped with a well-founded order > such 
thatU{C) C =_4, C C andCOjr yf 0 then there are no minimal innermost 
C-rewrite sequences. □ 

The difference with Theorem 11 is the use of the innermost dependency 
graph and, more importantly, the replacement of the set TZ of all rewrite rules 
by the set hi{C) of usable rules for C, which in general is a much smaller set. 
Very recently, it has been proved [13, 22] that the usable rules criterion can also 
be used for termination, provided the employed reduction pair is Cf:-compatible. 
However, replacing TZ hy U{C) in Theorem 11 would be unsound. The reason is 
that the TRS Cg admits no non-trivial models. 

Example 13. Consider the following non-terminating TRS TZ\ 

1: h(f(a,b,a:)) ^ h(f(x,a;,a;)) 2: g{x,y) ^ x 3: g{x,y) ^ y 

The only dependency pair ht*(f(a, b, a;)) ^ h^{i{x,x,x)) forms a cycle in the 
dependency graph. There are no usable rules. If we take the polynomial inter- 
pretation az = 1, bz = 0, fz(a;, y,z) = x — y, and h|(a;) = x then the dependency 
pair is transformed into 1 > 0. Note that it is not possible to extend the inter- 
pretation to a model for TZ. Choosing hz(x) = 0 will take care of rule 1, but there 
is no interpretation gz such that maxjO, gz(a;, y)} = x and maxjO, gz(a;, y)} = y 
for all natural numbers x and y. 
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4.2 Towards Automation 



How do we verify a constraint like a: + 1 > max{0,a; — y}7 The approach that 
we developed in Section 3.2 for dealing with negative constants is not applicable 
because Lemma 7 relies essentially on weak monotonicity of the polynomial 
interpretations. 

Let V^o be a subset of the set of polynomials P with integer coefficients 
such that a{P) ^ 0 for all a: V ^ N for which membership is decidable. For 
instance, V^o could be the set of polynomials without negative coefficients. We 
define 7^<o in the same way. 

Definition 14. Let (Z, {/z}/g;r) be an algebra. With every term t we assoeiate 
a polynomial Q{t) as follows: 




t 


if t is a variable 




p 


II 


. ^tr 


,) and P G 


0 


II 

If? 


. ^tr 


,) and P G P<o 


v{P) 


otherwise 







where P = fz{Q{ti ), . . . , Q(t„)). In the last clause v{P) denotes a fresh abstract 
variable that we uniquely associate with P. 

There are two kinds of indeterminates in Q(t): ordinary variables occurring 
in t and abstract variables. The intuitive meaning of an abstract variable v{P) is 
max{0, P}. The latter quantity is always non-negative, like an ordinary variable 
ranging over the natural numbers, but from v{P) we can extract the original 
polynomial P and this information may be crucial for a comparison between 
two polynomial expressions to succeed. Note that the polynomial P associated 
with an abstract variable v{P) may contain other abstract variables. However, 
because v{P) is different from previously selected abstract variables, there are 
no spurious loops like Pi = v{x — v{P 2 )) and P 2 = v{x — v{Pi)). 

The reason for using and 7^<o in the above definition is to make our ap- 
proach independent of the particular method that is used to test non-negativeness 
or negativeness of polynomials. 

Definition 15. With every assignment a: V ^ N we associate an assignment 
a* : V ^ N defined as follows: 

^ I max{0,a*(P)} if x is an abstract variable v{P) 

1 a{x) otherwise 

The above definition is recursive because P may contain abstract variables. 
However, since v{P) is different from previously selected abstract variables, the 
recursion terminates and it follows that a* is well-defined. 

Theorem 16. Let (Z, {/z } be an algebra such that every /z is a polynomial. 
Let t be a term. For every assignment a we have [o;]N(f) = ct*{Q{f)). 
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Proof. We show that [a]N(t) = a*(Q(t)) by induction on t. If t is a variable 
then [a]N(t) = a(t) = a*(t) = a*(Q(t)). Suppose t = f(ti, . . . ,tn). Let P = 
■ ■ ■ ,Q{tn)). The induction hypothesis yields [o;]N(^i) = ct*{Q{ti)) for 
all i and thus 

[a]n{t) = fy{a*{Q{ti)),...,a*{Q{t„))) 

= max{0, /z(a*(Q(ii)), • • ■ , a*(Q(t„)))} = max{0, a*{P)} 

We distinguish three cases, corresponding to the definition of Q{t). 

— First suppose that P G V^o- This implies that a*{P) ^ 0 and thus we have 
max{0,a*(P)} = a*{P). Hence [a]N(^) = 

— Next suppose that P G 7^<o- So a*(P) < 0 and thus max{0,a*(P)} = 0. 
Hence [o;]N(i) = 0 = a*(Q(t)). 

— In the remaining case we do not know the status of P. We have Q{t) = v{P) 
and thus a*{Q{f)) = max{0,a*(P)} which immediately yields the desired 
identity [o;]N(i) = 

□ 

Corollary 17. Let (Z, he an tF -algebra such that every /z is a poly- 

nomial. Let s and t he terms. Lf Q{s) = Q{t) then s =n t. Lf a* {Q{s) — Q{t)) > 0 
for all assignments a: V ^ N then s >n t. Lf a*{Q{s) — Q{t)) ^ 0 for all as- 
signments a: V ^ N then s t. □ 

Example 18. Consider again dependency pair 15 from Example 10: 

mod*(s(x),s(y)) ^ mod“(s(x) - s(y), s(j/)) 

We have (5(mod**(s(a;), s(y))) = x + 1 and (5(mod**(s(x) — s(y),s(y))) = v(x — y). 
Since x-\- l — v{x — y) may be negative (when interpreting v{x — y) as a variable), 
the above corollary cannot be used to conclude that 15 is strictly decreasing. 
However, if we estimate v{x — y) hy x, the non-negative part oi x — y, then we 
obtain x -\- 1 — x = 1 which is clearly positive. 

Given a polynomial P with coefficients in Z, we denote the non-negative part 
of Pby N{P). 

Lemma 19. Let Q be a polynomial with integer coefficients. Suppose v{P) is 
an abstract variable that occurs in Q but not in N{Q). If Q' is the polynomial 
obtained from Q by replacing v{P) with N{P) then a*{Q) ^ a*{Q') for all 
assignments or. V N. 

Proof. Let a: V ^ N be an arbitrary assignment. In a*{Q) every occurrence 
of v{P) is assigned the value a*{v{P)) = max{0, o;*(P)}. We have a*(iV(P)) ^ 
a*{P) ^ a*{v{P)). By assumption, v{P) occurs only in the negative part of Q. 
Hence Q is (strictly) anti-monotone in v{P) and therefore a*{Q) ^ a*{Q'). □ 

In order to determine whether s t (or s >n t) holds, the idea now is to first 
use standard techniques to test the non-negativeness of Q = Q(s) — Q{t) (i.e.. 
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we determine whether a{Q) ^ 0 for all assignments a by checking whether Q € 
V^o). If Q is non-negative then we certainly have a*{Q) ^ 0 for all assignments a 
and thus s t follows from Corollary 17. If non-negativeness cannot be shown 
then we apply the previous lemma to replace an abstract variable that occurs 
only in the negative part of Q. The resulting polynomial Q' is tested for non- 
negativeness. If the test succeeds then for all assignments a we have a*{Q') ^ 0 
and thus also a*{Q) ^ 0 by the previous lemma. According to Corollary 17 this 
is sufficient to conclude s t. Otherwise we repeat the above process with 
Q'. The process terminates when there are no more abstract variables left that 
appear only in the negative part of the current polynomial. 

5 Experimental Results 

We implemented the techniques described in this paper in the Tyrolean Termina- 
tion Tool [14]. We tested 219 terminating TRSs and 239 innermost terminating 
TRSs from three different sources: 

— all 89 terminating and 109 innermost terminating TRSs from Arts and 

Giesl [2], 

— all 23 TRSs from Dershowitz [7], 

— all 116 terminating TRSs from Steinbach and Kiihler [20, Sections 3 and 4]. 

Nine of these TRSs appear in more than one collection, so the total number 
is 219 for termination and 239 for innermost termination. In our experiments 
we use the dependency pair method with the recursive SCC algorithm of [12] 
for analyzing the dependency graph. The recent modular refinements mentioned 
after Theorem 12 are also used, except when we try to prove (full) termination 
with the approach of Section 4 (but when the TRS is non-overlapping we do use 
modularity since in that case innermost termination guarantees termination). 
All experiments were performed on a PC equipped with a 2.20 GHz Mobile Intel 
Pentium 4 Processor - M and 512 MB of memory. 

Tables 1 and 2 show the effect of the negative constant method developed in 
Section 3. In Table 1 we prove termination whereas in Table 1 we prove innermost 
termination. In the columns labelled N we use the natural interpretation for 
certain function symbols that appear in many example TRSs: 

0z = 0 lz = l 2z = 2 

sz(a;) = a; -I- 1 +z{x,y) =x + y Xz{x,y) = xy 

pz(x) = a;-li _ yi 

For other function symbols we take linear interpretations 



fz(xi, . . . ,x„) = aia;i H h a„a;„ -I- b 

^ In Tables 1 and 2 we do not fix the interpretation of p when —1 is not included in 
the indicated constant range and the natural interpretation of — is not used. 
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Table 1. Negative constants: termination. 



constant 




0,1 






0,1,2 




0,1,-1 




coefficient 




0,1 






0,1,2 




0,1 




interpretation 


E 


N 


NE 


E 


N 


NE 


E 


N 


NE 


success 


179 


158 


182 


180 


159 


183 


188 


164 


191 




0.20 


0.09 


0.08 


0.20 


0.09 


0.09 


0.24 


0.14 


0.12 


failure 


40 


61 


37 


39 


60 


36 


31 


55 


28 




0.03 


0.02 


0.03 


1.11 


0.15 


1.43 


0.93 


0.43 


1.29 


timeout 


0 


0 


0 


0 


0 


0 


0 


0 


0 


total time 


36.41 15.72 16.56 


78.48 23.88 67.29 


73.01 46.14 59.45 



Table 2. Negative constants: innermost termination. 



constant 




0,1 






0,1,2 




o,i,-i 




coefficient 




0,1 






0,1,2 




0,1 




interpretation 


E 


N 


NE 


E 


N 


NE 


E 


N 


NE 


success 


200 


177 


202 


202 


179 


204 


209 


183 


211 




0.19 


0.10 


0.09 


0.19 


0.10 


0.09 


0.23 


0.14 


0.12 


failure 


39 


62 


37 


37 


60 


35 


30 


56 


28 




0.04 


0.03 


0.05 


1.19 


0.16 


1.47 


0.92 


0.43 


1.26 


timeout 


0 


0 


0 


0 


0 


0 


0 


0 


0 


total time 


39.46 18.92 19.59 


81.94 26.97 70.07 


75.24 49.10 61.24 



with ai , . . . , o„ in the indicated coefficient range and b in the indicated constant 
range. In the columns labelled E we do not fix the interpretations in advance; for 
all function symbols we search for an appropriate linear interpretation. In the 
columns labelled ne we start with the default natural interpretations but allow 
other linear interpretations if (innermost) termination cannot be proved. Deter- 
mining appropriate coefficients can be done by a straightforward but inefficient 
“generate and test” algorithm. We implemented a more involved algorithm in 
our termination tool, but we anticipate that the recent techniques described in 
[6] might be useful to optimize the search for coefficients. 

We list the number of successful termination attempts, the number of failures 
(which means that no termination proof was found while fully exploring the 
search space implied by the options), and the number of timeouts, which we set 
to 30 seconds. The figures below the number of successes and failures indicate 
the average time in seconds. 
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Table 3. Negative coefficients. 





termination 




innermost termination 


interpretation 


E 


N 


NE 


E 


N 


NE 


success 


109 


102 


114 


181 


161 


185 




0.74 


0.39 


0.58 


0.04 


0.06 


0.07 


failure 


71 


96 


66 


30 


62 


28 




2.50 


0.71 


2.48 


1.72 


0.33 


2.00 


timeout 


39 


21 


39 


28 


16 


26 


total time 


1428.41 738.16 1400.60 


899.01 511.14 


848.25 



By using coefficients from {0, 1, 2} very few additional examples can be han- 
dled. For termination the only difference is [2, Example 3.18] which contains a 
unary function double that requires 2x as interpretation. The effect of allowing 
— 1 as constant is more apparent. Taking default natural interpretations for cer- 
tain common function symbols reduces the execution time considerably but also 
reduces the termination proving power. However, the ne columns clearly show 
that fixing natural interpretations initially but allowing different interpretations 
later is a very useful idea. 

In Table 3 we use the negative coefficient method developed in Section 4. 
Not surprisingly, this method is more suited for proving innermost termination 
because the method is incompatible with the recent modular refinements of the 
dependency pair method when proving termination (for non-overlapping TRSs) . 

Comparing the first (last) three columns in Table 3 with the last three 
columns in Table 1 (Table 2) one might be tempted to conclude that the approach 
developed in Section 4 is useless in practice. We note however that several chal- 
lenging examples can only be handled by polynomial interpretations with nega- 
tive coefficients. We mention TRSs that are (innermost) terminating because of 
non-linearity (e.g. [2, Examples 3.46, 4.12, 4.25]) and TRSs that are terminating 
because the difference of certain arguments decreases (e.g. [2, Example 4.30]). 
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Abstract. Symmetry-breaking in constraint satisfaction problems is a 
well-established area of AI research which has recently developed strong 
interactions with symbolic computation, in the form of computational 
group theory. GE-trees are a new conceptual abstraction, providing low- 
degree polynomial time methods for breaking value symmetries in con- 
straint satishcation problems. In this paper we analyse the structure 
of symmetry groups of constraint satisfaction problems, and implement 
several combinations of GE-trees and the classical SBDD method for 
breaking all symmetries. We prove the efficacy of our techniques, and 
present preliminary experimental evidence of their practical efficiency. 



1 Introduction 

Constraint systems are a generalization of the Boolean satisfiability problems 
that play a central role in theoretical computer science. Solving constraint sat- 
isfaction problems (CSPs) in general is thus NP-complete; but effective solving 
of constraint systems arising from real problems, such as airline scheduling, is of 
enormous industrial importance. 

There has been a great deal of research interest in dealing with symmetries 
in CSPs in recent years. CSPs are often solved using AI search techniques in- 
volving backtrack search and propagation. Many approaches to dealing with 
symmetries (constraints and/or solutions that are interchangeable in terms of 
the structure of the problem) are themselves based on refinements of AI search 
techniques. These include imposing some sort of ordering (before search) on oth- 
erwise interchangeable elements, posting constraints at backtracks that rule out 
search in symmetric parts of the tree, and checking that nodes in the search tree 
are not symmetrically equivalent to an already-visited state. These approaches 
are collectively known as lexicographic ordering [1], symmetry breaking during 
search (SBDS) [2,3], and symmetry breaking by dominance detection (SBDD) 
[4,5]. Methods can be, and are, optimised for either finding the first solution or 
finding all solutions. In this paper we consider only the problem of finding all 
solutions. 

A promising recent approach has been to consider the symmetries of a given 
CSP as a group of permutations. It then becomes possible to pose and answer 
questions about symmetry using computational group theory. In effect, the AI 
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search for solutions proceeds as before, but with fast permutation group algo- 
rithms supplying information that restricts search to symmetrically inequivalent 
nodes. Both SBDS and SBDD have been successfully implemented in this way 
[6,7] using GAP-ECL*PS®, an interface between the ECL®PS®[8] constraint logic 
programming system and the GAP [9] computational group theory system. 

An even more recent advance has been the theory of GE-trees [10]. 

The construction and traversal of a GE-tree breaks all symmetries in any 
GSP. In the special - but common ~ case that the GSP has only value sym- 
metries (for example graph colouring problems, where the colours are distinct 
but interchangeable) a GE-tree can be constructed in low-degree polynomial 
time. GE-trees provide both a useful analytic framework for comparing symme- 
try breaking methods, and, for value symmetries, a practical method for efficient 
search. 

In this paper we describe initial results, both theoretical and practical, con- 
cerning the integration of GE-tree construction with SBDD. We combine heuris- 
tic AI search with mathematical structures and algorithms in order to extend 
and enhance existing - mainly pure AI - techniques. 

In the remainder of this paper we provide a formal framework for GSPs, 
variable and value symmetries and GE-trees. In the following section, we describe 
SBDD and make some observations about variations of this algorithm. In the 
next two sections we identify and discuss a mathematically special, but common, 
situation in which we can uncouple variable and value symmetries. We follow this 
with preliminary results for a range of symmetry breaking approaches involving 
various combinations of SBDD and GE-tree methods. 

1.1 CSPs and Symmetries 

Definition 1. A CSP L is a set of constraints C acting on a finite set of vari- 
ables A := {Ai, A 2 , . . . , A„}, each of which has finite domain of possible values 
Di := D{Ai) C A. A solution to L is an instantiation of all of the variables in 
A such that all of the constraints in C are satisfied. 

Gonstraint logic programming systems such as EGL®PS® model GSPs using 
constraints over finite domains. The usual search method is depth-first, with 
values assigned to variables at choice points. After each assignment a partial 
consistency test is applied: domain values that are found to be inconsistent are 
deleted, so that a smaller search tree is produced. Backtrack search is itself a con- 
sistency technique, since any inconsistency in a current partial assignment (the 
current set of choice points) will induce a backtrack. Other techniques include 
forward-checking, conflict-directed backjumping and look-ahead. 

Statements of the form {var = val) are called literals, so a partial assignment 
is a conjunction of literals. We denote the set of all literals by y, and generally 
denote variables in Roman capitals and values by lower case Greek letters. We 
denote “constrained to be equal” by # =. 

Definition 2. Given a CSP L, with a set of constraints C, and a set of literals 
X, a symmetry of L is a bijection f ■ X ^ X such that a full assignment A of L 
satisfies all constraints in C if and only if f{A) does. 
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We denote the image of a literal {X = a) under a symmetry g by {X = a)g. 
The set of all symmetries of a CSP form a group: that is, they are a collection of 
bijections from the set of all literals to itself that is closed under composition of 
mappings and under inversion. We denote the symmetry group of a CSP by G. 

Note that under this definition of a symmetry, it is entirely possible to map a 
partial assignment that does not violate any constraints to a partial assignment 
which does. Suppose for instance that we had constraints (^i# = X2), (-^2# = 
X3) where each Xi had domain [a,/3]. Then the symmetry group of the CSP 
would enable us to freely interchange Xi, X2 and X^. However, this means that 
we could map the partial assigment {Xx = a) A (X3 = j 3 ) (which does not break 
either of the constraints) to {X\ = a) A {X2 = (i) (which clearly does). This 
shows that the interaction between symmetries and consistency can be complex. 

There are various ways in which the symmetries of a CSP can act on the set 
of all literals, we now examine these in more detail. 

Definition 3. A value symmetry of a CSP is a symmetry g G G such that if 
{X = a)g = (Y = P) then X = Y . 

The collection of value symmetries form a subgroup of G: that is, the set of 
value symmetries is itself a group, which we denote by G^^^. We distinguish two 
types of value symmetries: a group G'^^^ acts via pure value symmetries if for all 
g G whenever {X = a)g = (X = P), we have {Y = a)g = (Y = P). There 
are CSPs for which this does not hold. However, at a cost of making distinct, 
labelled copies of each domain we have the option to assume that G acts via 
pure value symmetries. If is pure then we may represent it as acting on the 
values themselves, rather than on the literals: we write ag to denote the image 
of a under g G 

We wish to define variable symmetries in an analogous fashion; however we 
must be a little more cautious at this point. We deal first with the standard case. 

Definition 4. Let L be a CSP for which all of the variables have the same 
domains, and let G be the full symmetry group of L. A variable symmetry of L 
is a symmetry g G G such that if {X = a)g = {Y = P), then a = p. 

We need a slightly more general definition than this. Recall that if the value 
group does not act via pure value symmetries, we make labelled copies of the 
domains for each variable: afterwards we can no longer use Definition 4 to look 
for variable symmetries, as the variables no longer share a common domain. 
However, the domains of the variables do match up in a natural way. We describe 
g G G as being a variable symmetry if, whenever (X = a)g = (Y = P), the values 
a and P correspond to one another under this natural bijection. Formally, we 
have the following definition. 

Definition 5. Let L be a CSP with symmetry group G. Fix a total ordering on 
Di for each i, and denote the elements of Di by . A variable symmetry is a 
symmetry g G G such that if (A^ = atj)g = {Ak = aki) then I = j- 

That is, the original value and the image value have the same position in 
the domain ordering. If all variables share a common domain then we recover 
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Definition 4 from Definition 5. Note that in the above definition, we may order 
at least one domain arbitrarily without affecting whether or not a symmetry is 
deemed to be a variable symmetry: it is the relative ordering of the domains 
that is crucial. 

There may be several possible orderings of the domains, corresponding to 
different choices of variable group: the value group is often a normal subgroup 
of G (see section 3), and hence is uniquely determined, but there will usually 
be several (conjugate) copies of the variable group, corresponding to distinct 
split extensions. If there is a unique copy of the variable group, as well as a 
unique copy of the value group, then G is the direct product of these two normal 
subgroups. However, in the current context, ordering any one domain induces 
a natural order on all of the remaining domains. This is because our variables 
either have a common domain, or originally had a common domain which has 
now been relabelled into several distinct copies (one for each variable). 

The collection of all variable symmetries (for a given ordering on each do- 
main) is a subgroup of G, which we denote We define a pure variable 

symmetry to be a variable symmetry such that if = atj)g = {Ak = akj) 
then the value of k does not depend on j. 

1.2 GE- Trees 

In [10] we introduced the GE-tree, a search tree T for a CSP L with the property 
that searching T finds exactly one representative of each equivalence class of 
solutions under the symmetry group of L. Before we can define a GE-tree, we 
need a few more group-theoretic and search-based definitions. 

We consider only search strategies in which all allowed options for one vari- 
able are considered before any values for other variables. This is a common, 
although not universal, pattern in constraint programming. Therefore, we con- 
sider search trees to consist of nodes which are labelled by variables (except for 
the leaves, which are unlabelled), and edges labelled by values. We think of this 
as meaning that the variable is set to that value as one traverses the path from 
the root of the tree toward the leaves. At a node Af, the partial assignment given 
by reading the labels on the path from the root to Af (ignoring the label at AA 
itself) is the state at AA. We will often identify nodes with their state, when the 
meaning is clear. By the values in AA we mean the values that occur in literals 
in the state at AA, we denote this set by Val(A/’). We define Var(Af) similarly for 
variables. We will often speak of a permutation as mapping a node Af to a node 
AA, although strictly speaking the permutation maps the literals in the state at 
AA to the literals in the state at A4 (in any order). 

Definition 6. Let G he a group of symmetries of a CSP. The stabiliser of a 
literal {X = a) is the set of all symmetries in G that map {X = a) to itself. 
This set is itself a group. The orbit of a literal {X = a), denoted {X = a)®, is 
the set of all literals that can he mapped to {X = a) by a symmetry in G. That 
is 

{X = a)'^ := {(T = (3)-.3g &G s.t. {Y = (3)g = {X = a)}. 

The orbit of a node is defined similarly. 
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Given a collection S of literals, the pointwise stabiliser of S is the subgroup 
of G which stabilises each element of S individually. The setwise stabiliser of S 
is the subgroup of G that consists of symmetries mapping the set S to itself. 

Definition 7. A GE-tree (group equivalence tree) for a CSP with symmetry 
group G is any search tree T satisfying the following two axioms: 

1. No node o/ T is isomorphic under G to any other node. 

2. Given a full assignment A, there is at least one leaf of T which lies in the 
orbit of A under G. 

Therefore, the nodes of T are representatives for entire orbits of partial as- 
signments under the group, and the action of the group on the tree fixes every 
node. Of course, a GE-tree will be constructed dynamically, and the constraints 
of a GSP will generally prevent us from searching the whole of T. We define 
a GE-tree to be minimal if the deletion of any node (and its descendants) will 
delete at least one full assignment. 

One of the main results in [10] is a constructive proof of the following Theo- 
rem: 

Theorem 1. Let L he a CSP with only value symmetries. Then breaking all 
symmetries of L is tractable. 

The theorem is proved by giving a low-degree polynomial algorithm which 
constructs a minimal GE-tree for L. This algorithm is summarized as follows: 

At each node N in the search tree do: 

Gompute the pointwise stabiliser G(vai( 7 y)) of Va^A/"). 

Select a variable X which is not in Var(A/"). 

Gompute the orbits of G(vai( 7 y)) on Dom(A). 

For each orbit O do: 

Gonstruct a downedge from M labelled with an element from O. 
End for. 

End for. 

It is shown in [10] that this can all be done in low-degree polynomial time. The 
result of only considering this reduced set of edges is that no two nodes in the 
resulting tree will be equivalent to each other under the subgroup of G that 
consists of value symmetries. 

This theorem has the following immediate corollary: 

Corollary 1. Let L be any CSP with symmetry group G. Then breaking the 
subgroup of G that consists only of value symmetries is tractable (i.e. can he 
done in polynomial time). 

This begs the question: how may we break the remaining symmetries of a GSP? 
For certain groups of variable symmetries, such as the full symmetric group, 
the direct product of two symmetric groups, and the wreath product of two 
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symmetric groups, it is relatively straightforward to develop tractable algorithms 
for constructing GE-trees. However at present we have no algorithm for arbitrary 
groups: the difficulty is that the action of the variable group does not, in general, 
map nodes of a search tree to nodes of a search tree. Therefore to solve this 
problem in general, we seek to develop hybrid approaches between our GE-tree 
construction and pre-existing symmetry breaking algorithms. 

2 Symmetry Breaking by Dominance Detection 

In this section we briefly describe symmetry breaking by dominance detection 
(SBDD). Let L be any GSP with symmetry group G. During backtrack search 
we maintain a record T of fail sets corresponding to the roots of completed 
subtrees. Each fail set consists of those {var = val) assignments made during 
search to reach the root of the subtree. We also keep track of the set P of current 
ground variables: variables having unit domain, either by search decision or by 
propagation. 

The next node in the search tree is dominated if there is a 5 G G and S € P 
such that 

SgCP . 

In the event that we can And suitable g and S, it is safe to backtrack, since we 
are in a search state symmetrically equivalent to one considered previously. In 
practice, the cost of detecting dominance is often outweighed by the reduction 
in search. 

SBDD works well in practice: empirical evidence suggests that SBDD can deal 
with larger symmetry groups than many other techniques. It is possible to de- 
tect dominance without using group theoretic techniques. However, this involves 
writing a bespoke detector for each problem, usually in the form of additional 
predicates in the constraint logic system. Using computational group theory en- 
ables generic SBDD, with the computational group theory system needing only 
a generating set for G to be able to detect dominance. 

A symmetry breaking technique is called complete if it guarantees never to 
return two equivalent solutions. Both SBDD and GE-trees are complete, in fact, 
SBDD remains complete even when the dominance check is not performed at 
every node, provided that it is always performed at the leaves of the search 
tree (i.e. at solutions). This observation allows a trade-off between the cost of 
performing dominance checks and the cost of unnecessary search. Another possi- 
ble approach is to use an incomplete, but presumably faster, symmetry breaking 
technique combined with a separate ‘isomorph rejection’ step to eliminate equiv- 
alent solutions. 

The efficient algorithm for breaking value symmetries - GE-tree construction 
- can safely be combined with SBDD, as shown in Theorem 13 of [10]. The 
algorithm implied by this theorem performs a dominance check, using the full 
group G of the GSP L, at each node of a GE-tree for L under G^®'b 

In the next two sections we will identify and discuss a mathematically special, 
but common, situation in which we can uncouple variable and value symmetries. 
We follow this with preliminary experimental results for a range of symmetry 
breaking approaches involving combinations of SBDD and GE-tree methods. 
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3 Complementary Variable Symmetries 

We say that a group G is generated by a set X if every element of G can 
be written as product of elements of X and their inverses. For a great many 
CSPs, each element of the symmetry group can be uniquely written as a single 
value symmetry followed by a single variable symmetry. In this case we say that 
the variable symmetries form a complement to the value symmetries in the full 
symmetry group. Formally, a subgroup Hi of a group H is a, complement to a 
subgroup i?2 of H if the following conditions hold: 

1 . i?2 is a normal subgroup of H: this means that for all elements h G H the 
set {hh2 : /12 G H2} is equal to the set {h2h : h-2 G i?2}. 

2 . \HinH2\ = 1 . 

3 . The set {/11/12 : h\ G Hi, /12 G H2} contains all elements of G. 

If this is true for a CSP with symmetry group G when Hi is G^^'^ and H2 is 
then the CSP has complementary variable symmetry. 

This holds, for instance, for any CSP where G is generated by pure value 
symmetries and pure variable symmetries. For example, in a graph colouring 
problem, the symmetries are generated by relabelling of the colours (pure value 
symmetries) and the automorphism group of the graph (pure variable symme- 
tries). 

Before going further, we collect a few facts describing the way in which the 
variable and value symmetries interact. 

Lemma 1 . If G is generated by a collection of pure variable symmetries and 
some value symmetries, then G^®'^ is a normal subgroup of G. 

Proof. To show that G^^^ is a normal subgroup of G, we show that for all g G G 
and all h G the symmetry g~^hg G G^^'b 

Let h G G^^^ and let g G G. Then g is a product of variable and value 
symmetries. Consider the literal (V = atj)g~^hg. The image of a literal {Xk = 
aki) under each variable symmetry in g depends only on k, not on I, and each 
value symmetry fixes the variables in each literal. Therefore as we move through 
the symmetries that make up g~^, we will map Xi to various other variables, 
but each of these mappings will be inverted as we apply each of the symmetries 
that make up g. Thus (V = aij)g~^hg = (V = a^') for some f, and so g~^hg 
is a value symmetry. 

We note that if G contains any non-pure variable symmetries then G'^^* is 
not, in general, a normal subgroup. Suppose that g G maps (V = aij) 1-^ 
(Xk = Q.kj), and also maps {Xi = ) 1-^ {Xi = a/ji). Let g G G^®'^ map 

{Xi — ^ij ) ' ^ {Xi — Q'iji ) ■ Then 

{Xk = akj)g~^hg = {Xi = a^j)hg 
= {Xi = Q-ij.,^ )g 

= {Xi = OijJ, 

but the map {Xk = akj ) (V = ^ ) is clearly not a value symmetry. 
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A symmetry group G for a CSP can quickly be tested for complementary 
value symmetry. There are several different ways of doing so, depending on 
how G has been constructed. If G has been input as a collection of pure value 
symmetries and a collection of pure variable symmetries then we always have 
complementary variable symmetry, and the construction of the subgroup of value 
symmetries and the group of variable symmetries is immediate. 

So suppose that G has not been input in this form, and that we have G and 
a list of the domains for each variable. If the domains are not equal, and we have 
some value symmetries, then assume also that the bijections between each pair 
of domains are given. 

We first check that the subgroup of value symmetries forms a normal sub- 
group of G, which can be done in time polynomial in |x|. We then form the 
quotient group of G by G^^*: this basically means that we divide out by the 
subgroup of all value symmetries, and can also be done in polynomial time. If 
the size of this quotient group is equal to the size of the group of variable sym- 
metries, then the CSP has complementary variable symmetry, as it is clear that 
the only permutation of the set of all literals which lies in both the group of 
variable symmetries and the group of value symmetries is the identity map. 

If the variables of the CSP share a common domain, the fastest way to find 
the group of variable symmetries (if this is not immediately clear from the way 
in which G has been described) is to compute the pointwise stabiliser in G of 
each of the values. This can be done in low-degree polynomial time [11]. 

In the next section we describe a new algorithm for symmetry breaking which 
is applicable to all CSPs with complementary variable symmetry. 

4 SBDD on Complements 

This approach can be summarized by saying that we construct a GE-tree for 
the set of value symmetries, and then search this using SBDD. However, we do 
not use SBDD on the full group, as this would involve also checking the value 
symmetries once more, but instead carry out SBDD only on the subgroup of 
variable symmetries. 

In more detail, we proceed as follows. At each node Af in the search tree we 
start by applying the GE-tree algorithm for to label Af with a variable X 
and produce a short list of possible downedges from Af, say a\, a 2 ,---,ak € 
Dom(A). 

We now perform dominance detection on each of Af U (A = a^), but in a 
2-stage process separating out the variable mapping from the value mapping. 
That is, using only we check whether Var(A/’) U {A} is dominated by the 
variables in any other node. Each time that we find dominance by a node A4, 
this implies that Va,r{Aig) C Var(AfU {A}). We therefore apply g to the literals 
in A4, and check whether there is an element of G^^^ that can map the resulting 
collection of literals to Af U (A = ai) for 1 < z < /c, bearing in mind that 
we now know precisely which literal in A4g must be mapped to each literal in 
Afn (A = ai), since the value group fixes the variables occurring in each literal. 
This latter query is therefore a low-degree polynomial time operation. 
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Only those ai which are never dominated in this way are used to construct 
new nodes in T. 

Theorem 2. The tree T constructed as above is a G E-tree for the full symmetry 
group G. 

Proof. We start by showing that no two nodes of this tree are isomorphic under 
G. Let M and Af be two distinct nodes, and suppose that there exists g £ G 
such that Aig = Af. By assumption, we can write all elements of G as a product 
of a value symmetry and a variable symmetry, so write g = Ir where I is a value 
symmetry and r is a variable symmetry. Suppose (without loss of generality, since 
all group elements are invertible) that A4 is to the right of Af in the search tree, 
so that we will have found Af first during search. Then the partial assignment 
Af' '■= Afr~^ is the image of Af under an element of the variable group, and 
contains the same variables as A4 . But this means that in our dominance check, 
we will discover that A4 is dominated by an ancestor of Af, contradicting the 
construction of T. 

Next we show that any full assignment corresponds to at least one leaf of T. 
Let ^ be a full assignment, and let X\ he the variable at the root of T. Then 
for some ai € Dom(Xi) the literal {Xi = ai) G A. Since the downedges from 
the root are labelled with orbit representatives of G on Dom(Xi), there exists 
fti G Dom(Xi) and xi G G^^'^ such that {Xi = ai)xi = {Xi = /3i) and fd\ is 
the label of a downedge from the root. Thus Ax\ contains a node of the tree at 
depth 1. 

Suppose that Axi contains a node Af of the tree at depth i, and suppose that 
the label at Af is X^^i. Note that since ^ is a full assignment, we must have 
{Xi^i = Oi+i) G A, for some ai+i G Dom(W+i)- We subdivide into two cases. 

If there exists Pi+i in the orbit of Oi+i under G^^^ such that (3i+i is the label 
of a downedge from Af, then letting Xi+i G G^* map /3i+i we see that 

AxiXi+i contains a node at depth f + 1. 

Suppose instead that this is not the case. Then some orbit representative 
= /3i+i), in the orbit of {Xi+i = Oj+i) under G^\, has been selected 
by the GE-tree technique but then rejected due to SBDD considerations. This 
means that there is a node A4 at depth j < i + 1, which is to the left of Af in T, 
and which dominates AfU (Xi^i = Pi+i). Hence there exists an element g G G 
such that {Af LI {Xi^i = (}i+i))g contains A4. Let h G map (W+i = Qfi+i) 
to {Xi+i = Pi+i). Then Axihg contains A4. Either it is the case that there is a 
node at depth z + 1 below AA which can be reached from Axihg using only value 
symmetries, or there exists a node A4' to the left of A4 which dominates some 
descendant of AA that is contained in an image of Axihg. Since this “mapping 
to left” operation can only be carried out a finite number of times, at some stage 
we must find a node of depth z + 1 which is contained in an image of A. 

We note at this point that the tree T described in this theorem is not nec- 
essarily minimal - the tree constructed by SBDD is not always minimal, so the 
same applies to any hybrid technique involving SBDD. 
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We finish this section with a brief discussion of the expected efficiency gain 
of this technique over plain SBDD. With SBDD, the cost at each node Af of 
determining dominance is potentially exponential: for each completed subtree, 
we must determine whether or not it is possible to map the set of literals cor- 
responding to the root of that subtree into the set of literals at Af. Best known 
algorithms for this run in moderately exponential time (that is, 0(e” ) where 
c < 1 and n is the number of points that the group is acting on: namely |x|, the 
sum of the domain sizes). In our hybrid GE-tree and SBDD construction, the 
selection of a collection of orbit representatives for the down-edges for a node is 
done in low-degree polynomial time: there is a proof in [10] that the time is no 
worse than but the actual bound is lower than this. We then perform 

SBDD on a reduced number of possible nodes, and with a smaller group. 

5 Experiments 

In [10] we showed that, for many CSPs, the cost of reformulating the problem 
into one with only value symmetry is clearly outweighed by the gains of the GE- 
tree construction, which is a polynomial-time method. In this paper we address 
the more standard question of GSPs with both value and variable symmetries. 
We take a highly symmetric GSP with known solutions, and compare symmetry 
breaking combinations. 

The queens graph is a graph with nodes corresponding to squares of a 
chessboard. There is an edge between nodes iff they are on the same row, column, 
or diagonal, i.e. if two queens on those squares would attack each other in the 
absence of any intervening pieces. The colouring problem is to colour the queens 
graph with n colours. If possible, this corresponds to a set of n solutions to the 
n queens problem, forming a disjoint partition of the squares of the chessboard. 

The problem is described by Martin Gardner. There is a construction for n 
congruent to 1 or 5 modulo 6, i.e. where n is not divisible by either 2 or 3. Other 
cases are settled on a case by case basis. Our GSP model has the cells of an 
n X n array as variables, each having domain 1 . . . n. The variable symmetries 
are those of a square (the dihedral group of order 8). The value symmetries are 
the n\ permutations of the domain values (the symmetric group of degree n). 
Our symmetry breaking approaches (using GAP-EGL®PS®) are: 

— SBDD only; 

— GE-tree construction for the value symmetries, with SBDD only used to 
check the symmetric equivalence of solutions (GEtree-|-iso); 

— GE-tree construction for the value symmetries, with SBDD - on the full 
symmetry group for the GSP ~ at each node (GEtree-l-SBDDfull); 

— GE-tree construction for the value symmetries, with SBDD - on the sym- 
metry group for the variables - at each node (GEtree-l-SBDDval). 

Table 1 gives the GAP-EGL®PS®cpu times for a range of values for n. It seems 
clear that GE-tree combined with full SBDD is competitive with SBDD only. It 
also seems clear that only using SBDD (or any other isomorph rejection method) 
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Table 1. Experimental results 



n 

solutions 


5 

1 


6 

0 


7 

1 


CO O 




GAP 


0.39 


0.48 


1.01 


112.44 


SBDD 


ECL 


0.19 


0.48 


7.35 


814.92 




r 


0.68 


0.96 


8.36 


927.36 




GAP 


0.42 


0.37 


1.49 


127.15 


GEtree-l-iso 


ECL 


0.09 


0.35 


12.01 


1677.26 




S 


0.51 


0.72 


13.50 


1804.73 




GAP 


0.42 


0.52 


1.51 


195.15 


GEtree-tSBDDfull 


ECL 


0.06 


0.27 


6.79 


935.74 




r 


0.48 


0.79 


8.30 


1131.19 




GAP 


0.77 


0.93 


3.96 


930.77 


GEtree-l-SBDDval 


ECL 


0.03 


0.32 


6.65 


1146.46 




r 


0.80 


1.25 


10.61 


2077.23 



is not competitive: the search tree is still large (since only value symmetries 
are being broken), with expensive variable symmetry breaking being postponed 
until the entire tree is searched. Interestingly, the results for GE-tree construction 
combined with SBDD on the complement of the value symmetries are not as good 
as expected. This approach combines polynomial time value symmetry breaking 
with dominance detection in a smaller algebraic structure than the full symmetry 
group. Therefore, on a heuristic level, we expect faster symmetry breaking than 
for GE-trees and full-group SBDD. Further experiments are required to pinpoint 
the reasons why the time gain is not as great as expected: the combination of 
symmetry breaking methods is, in general, an unexplored research area. 



6 Conclusions 

Symmetry breaking in constraint programming is an important area of interplay 
between artificial intelligence and symbolic computation. In this paper we have 
identified a number of important special structures and cases that can arise in 
the action of a symmetry group on the literals of a constraint problem. We have 
described a number of ways in which known symmetry breaking methods can 
be safely combined and described some new methods exploiting these newly 
identified structures. 

Our initial experimental results demonstrate the applicability of our theoret- 
ical results, with more work to be done to overcome the apparent overheads of 
combining more than one symmetry breaking technique during the same search 
process. Other future work includes assessment of new heuristic approaches, in- 
cluding problem reformulation (to obtain a GSP with a more desirable symmetry 
group than that of a standard GSP model) and using dominance detection only 
at selected nodes in the tree (as opposed to every node, as currently imple- 
mented). We also aim to investigate both the theoretical and practical aspects 
of further useful ways of decomposing the symmetry group of a GSP. 
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Abstract. In this paper we introduce a pattern classification system to 
recognize words of minimal length in their automorphic orbits in free 
groups. This system is based on Support Vector Machines and does not 
use any particular results from group theory. The main advantage of the 
system is its stable performance in recognizing minimal elements in free 
groups with large ranks. 



1 Introduction 

This paper is a continuation of the work started in [5,7]. In the previous pa- 
pers we showed that pattern recognition techniques can be successfully used 
in abstract algebra and group theory in particular. The approach gives one an 
exploratory methods which could be helpful in revealing hidden mathematical 
structures and formulating rigorous mathematical hypotheses. Our philosophy 
here is that if irregular or non-random behavior has been observed during an 
experiment then there must be a pure mathematical reason behind this phe- 
nomenon, which can be uncovered by a proper statistical analysis. 

In [7] we introduced a pattern recognition system that recognizes minimal 
(sometimes also called Whitehead minimal) words, i.e., words of minimal length 
in their automorphic orbits, in free groups. The corresponding probabilistic clas- 
sification algorithm, a classifier, based on quadratic regression is very fast (linear 
time algorithm) and recognizes minimal words correctly with the high accuracy 
rate of more then 99%. However, the number of model parameters grows as 
a polynomial function of degree 4 on the rank of the free group. This limits 
applications of this system to free groups of small ranks (see Section 3.3). 

In this paper we describe a probabilistic classification system to recognize 
Whitehead-minimal elements which is based on so-called Support Vector Ma- 
chines [9,10]. Experimental results described in the last section show that the 
system performs very well on different types of test data, including data gener- 
ated in groups of large ranks. 

The paper is structured as follows. In the next section we give a brief intro- 
duction to the Whitehead Minimization problem and discuss the limitations of 
the known deterministic procedure. In Section 3 we describe major components 
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of the classification system, including generation of training datasets and feature 
representation of elements in a free group. In the section we describe evaluation 
procedure and give empirical results on the performance of the system. 



2 Whitehead’s Minimization Problem 

In this section we give a brief introduction to the Whitehead minimization prob- 
lem. 

Let X be a finite alphabet, X~'^ = {x~^ | x S X} be the set of formal 
inverses of letters from X, and X^^ = X U X~^ . For a word w in the alphabet 
X^^ by Iwl we denote the length of w. A word w is called reduced if it does 
not contain subwords of the type xx~^ or x~^x for x G X. Applying reduction 
rules xx~^ s,x~^x — > s (where e is the empty word) one can reduce each 
word w in the alphabet X^^ to a reduced word w. The word w is uniquely 
defined and does not depend on the order in a particular sequence of reductions. 
The set F = F{X) of all reduced words over X^^ forms a group with respect 
to multiplication defined hy u ■ v = wv (i.e., to compute the product of words 
u,v G F one has to concatenate them and then reduce). The group F with 
the multiplication defined as above is called a free group with basis X. The 
cardinality |X| is called the rank of F{X). Free groups play a central role in 
modern algebra and topology. 

A bijection (f : F ^ F is called an automorphism of F if 4>{uv) = 4>{u)4>{v) for 
every u,v G F. The set Aut{F) of all automorphisms of F forms a group with 
respect to composition of automorphisms. Every automorphism (f> G Aut{F) 
is completely determined by its images on elements from the basis X since 
(j){xi . . . Xn) = . . . 4>{xn) and (f>{x~^) = 4>{x)~^ for any letters Xi, Xi G X^^. 

An automorphism t G Aut{F{X)) is called a Whitehead’s automorphism if t 
satisfies one of the two conditions below: 

1) t permutes elements in X’^^] 

2) t fixes a given element a G X^^ and maps each element x G X^^^,x yf 

to one of the elements x, xa, a~^x, or a~^xa. 

By n{X) we denote the set of all Whitehead’s automorphisms of F{X). It is 
known [8] that every automorphism from Aut{F) is a product of finitely many 
Whitehead’s automorphisms. 

The automorphic orbit Orb{w) of a word w G F is the set of all automorphic 
images of ic in E: 

Orb{w) = {v G F \ 3ip G Aut{F) such that (p{w) = ?;}. 

A word w G F is called minimal (or automorphically minimal) if |t(;| < |v3('*i')| for 
any ip G Aut{F). By Wmin we denote a word of minimal length in Orb{w). Notice 
that Wrnin is not unique. By WC(w) (the Whitehead’s complexity of w) we denote 
a minimal number of automorphisms ti, . . . ,tm G f2(X) such that tm ■ ■ ■ ti{w) = 
Wmin- The algorithmic problem which requires finding Wmin for a given w G F 
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is called the Minimization Problem for F, it is one of the principal problems 
in combinatorial group theory and topology. There is a famous Whitehead’s 
decision algorithm for the Minimization Problem, it is based on the following 
result due to Whitehead ([11]): if a word w G F{X) is not minimal then there 
exists an automorphism t G [2{X) such that |t(ic)| < jtuj. Unfortunately, its 
complexity depends on cardinality of f}{X) which is exponential in the rank of 
F{X). We refer to [6] for a detailed discussion on complexity of Whitehead’s 
algorithms. 

In this paper we focus on the Recognition Problem for minimal elements in 
F. It follows immediately from the Whitehead’s result that w G F is minimal if 
and only if |t(ic)| > jwj for every t G f2{X) (such elements sometimes are called 
Whitehead’s minimal). This gives one a simple deterministic decision algorithm 
for the Recognition Problem, which is of exponential time complexity in the rank 
of F. Note, that the worst case in terms of the rank occur when the input word w 
is already minimal. In this situation all of the Whitehead automorphisms f2{X) 
have to be applied. 

Construction of a probabilistic classifier which recognizes words of minimal 
length allows one to solve the recognition problem quickly in expense of a small 
classification error. Such classifier can be used as a fast minimality check heuristic 
in a deterministic algorithm which solves the minimization problem. 

It is convenient to consider the Minimization Problem only for cyclically 
reduced words in F. A word w = xi...Xn G F{X) {xi G is cyclically 

reduced if Xi yf x~^. Clearly, every w G F can be presented in the form w = 
u~^wu for some u G F(X) and a cyclically reduced element w G F{X) such that 
[■u;| = |f(;| -I- 2 |m|. This w is unique and it is called a cyclically reduced form of w. 
Every minimal word in F is cyclically reduced, therefore, it suffices to construct 
a classifier only for cyclically reduced words in F. 



3 Recognition of Minimal Words in Free Groups 

One of the main applications of Pattern Recognition techniques is classification 
of a variety of given objects into categories. Usually classification algorithms 
or classifiers use a set of measurements (properties, characteristics) of objects, 
called features, which gives a descriptive representation for the objects. We refer 
to [2] for detailed introduction to pattern recognition techniques. 

In this section we describe a particular pattern recognition system PRmin 
for recognizing minimal elements in free groups. The corresponding classifier 
is a supervised learning classifier which means that the decision algorithm is 
“trained” on a prearranged dataset, called training dataset in which each pattern 
is labelled with its true class label. The algorithm is based on Support Vector 
Machines (SVM) classification algorithm. 

In Section I we have stressed that the number of parameters required to 
be estimated by the classification model based on quadratic regression is of 
order O(n^), where n is the rank of a free group Fn. This constitutes two main 
problems. First, in order to compute the parameters we have to multiply and 
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decompose matrices of size equal to the number of the coefficients itself. For large 
n, the straightforward computation of such matrices might be impossible due 
to the memory size restrictions. Another problem, which is perhaps the major 
problem, is due to the fact that the number of observations in the training set 
needs to be about 100 times more than the number of the coefficients to be 
estimated. When n is large (for n = 10 the required number of observations is 
about 14,440,000) it is a significant practical limitation, especially when the data 
generation is time consuming. 

One of the main attractive features of the Support Vector Machines is their 
ability to employ non-linear mapping without essential increase in the number 
of parameters to be estimated and, therefore, in computation time. 

3.1 Data Generation: Training Datasets 

A pseudo-random element w of F{X) can be generated as a pseudo-random se- 
quence yi, ... ,yi of elements yi G such that yi yf where the length 

I is also chosen pseudo-randomly. However, it has been shown in [4] that ran- 
domly taken cyclically reduced words in F are already minimal with asymptotic 
probability 1. Therefore, a set of randomly generated cyclic words in F would 
be highly biased toward the class of minimal elements. To obtain fair training 
datasets we use the following procedure. 

For each positive integer I = 1, . . . , L we generate pseudo-randomly and 
uniformly K cyclically reduced words from F{X) of length 1. Parameters L and 
K were chosen to be 1000 and 10 for pure practical reasons. Denote the resulting 
set by W. Then using the deterministic Whitehead algorithm we construct the 
corresponding set of minimal elements 

= {Wmin \ G IF}. 

With probability 0.5 we substitute each v G Wmin with the word t{v), where t is a 
randomly and uniformly chosen automorphism from f2{X) such that |t(u)| > Iril 
(if |t(r’)| = |w| we chose another t G f^{X), and so on). Now, the resulting set 
L is a set of pseudo-randomly generated cyclically reduced words representing 
the classes of minimal and non-minimal elements in approximately equal propor- 
tions. It follows from the construction that our choice of non-minimal elements w 
is not quite representative, since all these elements have Whitehead’s complexity 
one (which is not the case in general) . One may try to replace the automorphism 
t above by a random finite sequence of automorphisms from 17 to get a more 
representative training set. However, we will see in Section 4 that the training 
dataset L is sufficiently good already, so we elected to keep it as it is. 

From the construction we know for each element v G L whether it is minimal 
or not. Finally, we create a training set 

D = {< v,P{v) > I V G Tj, 



P{v) = 



where 



1, n is minimal; 
0, otherwise. 
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3.2 Features 

To describe the feature representation of elements from a free group F{X) we 
need the following 

Definition 1. Labelled Whitehead Graph WG{v) = (V,E) of an element v G 
F{X) is a weighted non-oriented graph, where the set of vertices V is equal to the 
set X^^, and for Xi,Xj € X^^ there is an edge (xi,Xj) G E if the subword XiXj^ 
(or XjX~^) occurs in the word v viewed as a cyclic word. Every edge (xi,Xj) is 
assigned a weight hj which is the number of times the subwords XiXj^ and xjx~^ 
occur in v. 

Whitehead Graph is one of the main tools in exploring automorphic proper- 
ties of elements in a free group [4, 8] . 

Now, let w G F{X) be a cyclically reduced word. We define features of 
element w as follows. Let l{w) be a vector of edge weights in the Whitehead 
Graph WG{w) with respect to a fixed order. We define a feature vector f{w) by 

/(„) = 

This is the basic feature vector in all our considerations. 



3.3 Decision Rule 

Below we give a brief description of the classification rule based on Support 
Vector Machine. 

Let D = {rui, . . . , wn }, w G E{X) be a training set and D' = {xi, . . . , xn }, 
Xi = f{wi) be the set of feature vectors with the corresponding labels yi,. . . , y^, 
where 

f +1> if Piw^) = 1; 

1 otherwise. 

Definition 2. The margin of an example (xi,yi) with respect to a hyperplane 
(w, b) defined as the quantity 



li =j/*(w'-x-|-6). 

Note that 7i > 0 corresponds to the correct classification of (xi,yi). 

Let 7_|_(7_) be the smallest margin among all positive (negative) points. 
Define the margin of separation 



7 = 7-H +7-- 

A Support Vector Machine (SVM) is a statistical classifier that attempts 
to construct a decision hyperplane (w, b) in such a way that the margin of 
separation 7 between positive and negative examples is maximized [9, 10]. 
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We wish to find a hyper-plane which will separate the two classes such that 
all points on one side of the hyper-plane will be labelled -1-1, all points on the 
other side will be labelled -1. Define a discriminant function 

g(x) =w*'-x + b*, 

where w*, b* are the parameters of the optimal hyper-plane. Function g(x) gives 
the distance from an arbitrary x to the optimal hyper-plane. 

Parameters of the optimal hyperplane are obtained by maximizing the mar- 
gin, which is equivalent to minimizing the cost function 

<P(w) = ||w||^ = w' • w, 

subject to the constraint that 

2 /i (w' • Xj + 6) - 1 > 0, 

This is an optimization problem with inequality constraints and can be solved 
by means of Lagrange multipliers. We form the Lagrangian 

1 ^ 

L(w, b, a) = -w' • w - ^ Oi [j/j (w' • x^ -|- 6) - 1] , 

i=l 

where ai > 0 are the Lagrange multipliers. We need to minimize L(w,6, a) 
with respect to w, b while requiring that derivatives of L(w, b, a) with respect 
to all the ai vanish, subject to the constraint that ai > 0. After solving the 
optimization problem the discriminant function 

N 

9 (.x) = ^y*a*x- -x + b*. 

i=l 

where a*, b* are the parameters of the optimal decision hyperplane. It shows 
that the distance can be computed as a weighted sum of the training data and 
the Lagrange multipliers, and that the training vectors x^ are only used in inner 
products. 

One can extend linear case to non-linearly separable data by introducing a 
kernel function 

K{x:„xj) = ip{xi) ■ 

where (/^(x) is some non-linear mapping into (possibly infinite) space H, 

(/? : M" I — > H. 

Since Support Vector Machines use only inner products to compute the discrim- 
inant function, given kernel K{xi,Xj), we can train a SVM without ever having 
to know (f{x) [3]. The implication of this is that the number of parameters 
that has to be learned by the SVM does not depend on the choice of the kernel 
and, therefore, mapping (p. This gives an obvious computational advantage when 
mapping the original feature space into a higher dimensional space which is the 
main obstacle in the previous approach based on quadratic regression. 
Examples of typical kernel functions are: 
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— Linear : 

K{xi,xj) = X- • Xj 

— Polynomial: 

K{x„Xj) = (1 -hx' • XjY 

— Exponential: 

— Neural Networks: 



K{xi,Xj) = tanh (6*ix' • xj — O^) 

Now we can define the decision rule used by the system. The classification 
algorithm has to predict the value P{w) of the predicate P for a given word w. 
The corresponding decision rule is 



Decide P{w) 



1, if > 0; 

0, otherwise. 



4 Evaluation of the System 

4.1 Test Datasets 

To test and evaluate our pattern recognition system we generate several test 
datasets of different types: 

— A test set Se which is generated by the same procedure as for the training 
set D, but independently of D. 

— A test set Sn of pseudo-randomly generated cyclically reduced elements of 
F{X), as described in Section 3.1. 

— A test set Sp oi pseudo-randomly generated cyclically reduced primitive 
elements in F{X). Recall that w G F{X) is primitive if and only if there 
exists a sequence of Whitehead automorphisms t\ . . .tm G Q{X) such that 
tm ■ ■ - ti{x) = w for some x G X^^. Elements in Sp are generated by the 
procedure described in [6], which, roughly speaking, amounts to a random 
choice of a; G X^^ and a random choice of a sequence of automorphisms 
t\ . . .tm G fI{X). 

— A test set Aio which is generated in a way similar to the procedure used 
to generate the training set D. The only difference is that the non- minimal 
elements are obtained by applying not one, but several randomly chosen 
automorphisms from 17(A). The number of such automorphisms is chosen 
uniformly randomly from the set {1, . . . , 10}, hence the name. 

For more details on the generating procedure see [6] . 

To show that performance of Support Vector Machines is acceptable for free 
groups, including groups of large ranks, we run experiments with groups of ranks 
3,5,10,15,20. For each group we construct the training set D and test sets Se, S'lo, 
Sr, Sp using procedures described previously. Some statistics of the datasets are 
given in Table 1. 
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Table 1. Description of the training and test datasets in free groups _Fio, Tis and ^ 20 - 



Dataset 


1 size 


% min 


% non- min 


(min,avg,max) word lengths 


D 


gjijijij] 


49.1 


50.9 


(3,558.2,1306) 


Fe 


1 5000 1 


48.9 


51.1 


(3,559,1292) 


Sio 


■rfllllll 


49.1 


50.9 


(3,1016.5,13381) 


Sr 






1.7 


(3,501.2,999) 


Sp 


3850 


0.0 


100.0 


(3,194.7,8719) 



a) Fa; 



Dataset 


1 size 


% min 


% non- min 


(min,avg,max) word lengths 


D 


gjijijij] 


48.5 


51.5 


(5,581.3,1388) 


Fe 


1 5000 1 


49.2 


50.8 


(8,583.7,1382) 


SlO 




48.0 


52.0 


(7,1693.22,28278) 


Sr 




97.2 


2.8 


(6,504.2,999) 


Sp 


2900 


0.0 


100.0 


(5,656.9,22430) 



c) Fs; 



Dataset 




% min 


% non- min 


(min,avg,max) word lengths 


D 




48.9 


51.1 


(26,617.4,1461) 


Fe 




49.2 


50.8 


(26,619.7,1443) 


Fio 




49.5 


50.5 


(29,2589.8,65274) 


Sr 




96.5 


3.5 


(18,512.7,999) 


Sp 




0.0 


100.0 


(12,150.8,1459) 



a) Fio; 



Dataset 








(min,avg,max) word lengths 


D 




49.5 


50.5 


(41,635.3,1472) 


Fe 




49.2 


50.8 


(40,642.5,1462) 


SlO 




49.7 


50.3 


(46,3056.6,53422) 


Sr 




95.3 


4.7 


(26,523.8,999) 


Sp 




0.0 


100.0 


(28,1109.3,4981) 



b) F15; 



Dataset 




% min 




(min,avg,max) word lengths 


D 


gQgj 


49.6 


50.4 


(47,658.3,1488) 


Fe 




49.3 


50.7 


(48,659.8,1484) 


Fio 


EE5H 


49.1 


50.9 


(64,3351.4,68316) 


Sr 


EBEH 


94.0 


6.0 


(48,534.9,999) 


Sp 




0.0 


100.0 


(66,945.1,4762) 



c) F20; 



4.2 Accuracy Measure 

To evaluate the performance of the classification system PRmin we define an 
accuracy measure A. 
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Let Devai be a test data set and 

K = |{w I decide{w) = P{w), w G Devai}\ 

be the number of correctly classified elements in D^vai ■ To evaluate the perfor- 
mance of a given pattern classification system we use a simple accuracy measure: 



\D,,aiy 

which gives the fraction of the correctly classified elements from the test set 
Devai ■ 

Notice, that the numbers of correctly classified elements follow the Binomial 
distribution and A can be viewed as an estimate of probability p of a word being 
classified correctly. 

We are interested in constructing a confidence interval for probability p. For 
binomial variates, exact confidence intervals do not exist in general. One can 
obtain an approximate 100(1 — a)% confidence interval [ps,Pl] by solving the 
following equations for ps and 

1=0 k * / 







<al I ^ 



a/2 



for a given a. 

Exact solutions to the equations above can be obtained by re-expressing in 
terms of the incomplete beta function (see [1] for details). 



4.3 Results of Experiments 

Experiments were repeated with the following types of kernel functions: 

K^: linear; 

quadratic (6x' • x^ -I- c)^; 

K^: polynomial of degree 3 {bx/ ■ xj + c)^; 

RT^: polynomial of degree 4 {bx/ ■ xj -h c)'^; 

RT®: Gaussian , 

where Xi, xj are the feature vectors obtained with mapping fwG and x, • xj is 
the inner product of x; and xj. 

The results of the experiments presented in Table 2. It shows that SVM with 
appropriate kernel perform well not only on free groups of small ranks but on 
groups of large ranks as well. The experiments confirmed observations, made 
previously, that classes of minimal and non-minimal words are not linearly sepa- 
rable. Moreover, once the rank and, therefore dimensionality of the feature space 
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Table 2. Performance of the Support Vector Machine classiher in free groups Fz, F 5 , 
Fio, Fi 5 and F 2 o- 





1 All elements | 


1 Elements with |n;| 


> 100 


1 Kernel! 


IBl 


m 


Bf!l 


BH 


Blill 


lEl 


m 


Blil 


BH 


F20 


1 












1^] 








.648 


«8MI 










IHIili 


IBBBl 


Bm 






.711 


mam\ 


BTiTa 




B^ 




1^1 


lilBlil 


BBB 


BBB 




.773 






















.834 


1 1 












IQgJ] 








.995 



a) accuracy evaluated on the set Se; 





1 All elements | 


1 Elements with \w\ 


> 100 


Kernel 


1 ^3 


1 ^5 






|f^20| 


\ ^3 


1 ^5 


[F^ 


[F^ 


F20 




lIBi^ 


1 ^ 


1^ 


BBil 


BHai 






1 ^ 


Og 


.687 










gg 




{ggg 


gm 




gg 


.751 












^g]| 


log] 








.810 




IBBH 


BBH 


BBH 


BEEl 


1^1 


iiniig 


BBS 


BBH 




.870 














log] 


igQ 






.994 



b) accuracy evaluated on the set Sio; 





1 All elements | 


1 Elements with |n;| 


> 100 


Kernel 


MSM 


m 


BH 


BH 


BHI 


IBl 


m 


BH 


BH 


F20 


1 1 






Og 


QQ 


^Q| 


jgjg 








.727 


mam\ 


Iggg 






gg 


K!l 


jggg 


g^ 


ggg 




.790 


KM 


{ggj 


ggj 


ggj 




^j{ 


ligg 


ggg 


g^ 


gjg 


.842 




IBBH 


BBH 


Bai 


BBHl 


1^1 


liHilil 


BBH 


BBBl 


BHil 


.883 




{ggg 


g^ 


ggg 


g^ 


g^l 


IQgg 


igg 


ggg 


g^ 


.973 



c) accuracy evaluated on the set Sr; 





1 All elements | 


1 Elements with |n;| 


> 100 


1 Kernel 1 


IBi 


m 


BH 


BH 


BHI 


IBl 


m 


BH 


BH 


F20 


1 




Og 






ggi 


IKI 






^g 


.612 


mam\ 


IBBBl 


BBH 






Bflili 


IBBH 


BBH 






.626 




|[gg 


[gg 


gjg 




Bsai 


ligg 


Egg 






.648 






igg 


g^ 




^]{ 


lEgg 


Egg 


g^ 


gg 


.665 




liHilil 


iHilil 


iHilil 


Egg 


iggi 


iiHiig 


Egg 


Egg 


Egg 


1.00 



d) accuracy evaluated on the set Sp. 



grows, quadratic mapping does not guarantee the high classification accuracy. 
As one might expect, the accuracy increases when the degree of the polynomial 
mapping increases. Nevertheless, even with the polynomial kernel of the de- 
gree d = 4, Support Vector Machine is not able to perform accurate classification 
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in groups Fi^ and J^ 20 - However, Gaussian kernel produces stable and accurate 
results for all test datasets, including sets of elements in free groups of large 
ranks. This indicates that points in one of the classes (minimal or non-minimal) 
are compactly distributed in the feature space and can be accurately described 
as a Gaussian. We also can observe that Gaussian representation can be applied 
to only one of the classes. If the opposite was true, then the problem of separat- 
ing the two classes would be much simpler and at least the quadratic mapping 
should have been as accurate as Ff®. 

We conclude this section with the following conclusions: 

1. With appropriate kernel function Support Vector Machines approach per- 
forms very well in the task of classification of Whitehead-minimal words in 
free groups of various ranks, including groups of large ranks. 

2. The best over all results are obtained with the Gaussian kernel iL®. This in- 
dicates that one of the classes is compact and can be bounded by a Gaussian 
function. 

3. Regression approach is still would be preferable for groups of small ranks 
due to its simplicity and smaller resource requirements. However, the SMVs 
should be used for groups of larger ranks where the size of the training 
sets required to perform regression with non-linear preprocessing mapping 
becomes practically intractable. 
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Abstract. While implementing a proof for the Basic Pertnrbation 
Lemma (a central result in Homological Algebra) in the theorem prover 
Isabelle one faces problems such as the implementation of algebraic struc- 
tures, partial functions in a logic of total functions, or the level of ab- 
straction in formal proofs. Different approaches aiming at solving these 
problems will be evaluated and classified according to features such as 
the degree of mechanization obtained or the direct correspondence to 
the mathematical proofs. From this study, an environment for further 
developments in Homological Algebra will be proposed. 

1 Introduction 

EAT [15] and Kenzo [5] are software systems written under Sergeraert’s direction 
for symbolic computation in algebraic topology and homological algebra. These 
systems have been used to compute remarkable results (for instance, some ho- 
mology groups of iterated loop spaces) previously unknown. Both of them are 
based on the intensive use of functional programming techniques, which enable 
in particular to encode and handle at runtime the infinite data structures appear- 
ing in algebraic topology algorithms. As pointed out in [4], algebraic topology 
is a field where challenging problems remain open for computer algebra systems 
and theorem provers. 

In order to increase the reliability of the systems, a project to formally analyze 
fragments of the programs was undertaken. In the last years, several results have 
been found related to the algebraic specification of data structures, some of them 
presented in [9]. Following these results, the algorithms dealing with these data 
structures have to be studied. The long term goal of our research project is to 
get certified versions of these algorithms, which would ensure the correctness 
of the computer algebra systems to a degree much greater than current hand- 
coded programs. To this end, a tool for extracting code from mechanized proofs 
could be used. As a first step towards this general goal, our concrete objective 
in this paper is to explore several possibilities to implement proofs of theorems 
in algebraic topology by using a theorem prover. As theorem prover, the tactical 
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prover Isabelle [12] has been chosen, mainly, because it is the system the authors 
are most familiar with. 

A first algorithm for which we intend to implement a proof is the Basic Per- 
turbation Lemma (hereinafter, BPL), since its proof has an algorithm associated 
used in Kenzo as one of the central parts of the program. In Section 2, the state- 
ment of the BPL, as well as a collection of lemmas leading to its proof, will be 
given. In Section 3, a naive attempt to implement the proofs of these lemmas is 
introduced. Section 4 describes an approach using the existing tools in Isabelle. 
In Section 5, we try to avoid the problems arising from partiality and provide a 
generic algebraic structure embedding most of the objects appearing in the prob- 
lem. In Section 6, an approach based on a new Isabelle feature, instantiation of 
locales, will be commented on. The paper ends with a conclusions section. 

2 Some Homological Algebra 

In the following definitions, some notions of homological algebra are briefly in- 
troduced (for further details, see [10], for instance). 

Definition 1. A graded group C* is a family of abelian groups indexed by the 
integers, C* = {C„}„gz, with each C„ an abelian group. A graded group homo- 
morphism /: A* ^ of degree k (€ Z) between two graded groups A* and 
Bif is a family of group homomorphisms, f = {/njnez, with /„: A„ ^ Bn+k o, 
group homomorphism \/n € Z. A chain complex is a pair dc»); where C* is 
a graded group, and dc^, (the differential map) is a graded group homomorphism 
dc* ■ ^ of degree -1 such that dc^, dc^, = Ohom d^d^- A chain complex ho- 

momorphism between two chain complexes (A*,d^^) and (S*,(iB*) is a graded 
group homomorphism f: A* ^ (degree 0) such that fdAi, = ds^^f- 

Let us note that the same family of homomorphisms / = {/njnez can be con- 
sidered as a graded group homomorphism or a chain complex homomorphism. If 
no confusion arises, C* will represent both a graded group and a chain complex; 
in the case of a chain complex homomorphism, the differential associated to C\ 
will be denoted by dc* • 

Definition 2. A reduction D* C* between two chain complexes is a triple 
{f,g,h) where: (a) the components f and g are chain complex homomorphisms 
f: D* ^ C* and g: ^ (b) the component h is a homotopy operator on 

D^, that is, a graded group homomorphism h: D* — > £>* of degree 1; (c) the 
following relations are satisfied: (1) fg = idc*; (2) gf + do^.h + hdo^. = idu.,.; 
(3) fh = Ojiom D,(; Cjf j (4) ^9 ~ Ohom Cjf Dig, > (5) hh = Ohom Dgg Dgg ■ 

Reductions are relevant since the homology of chain complexes is preserved by 
them and they allow to pass from a chain complex where the homology is un- 
known to a new one where homology is computable. 

Definition 3. Let D* be a chain complex; a perturbation of the differential djy.^ 
is a homomorphism of graded groups Soa, '■ D* ^ D* ( degree -1) such that -I- 
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i5d* is a differential for the underlying graded group of Dif. A perturbation 5 d^. of 
doa, satisfies the nilpotency condition with respect to a reduction (/, g, h ) : Z?* 

C* whenever the composition Soa^h is pointwise nilpotent, that is, {5D^.hff{x) = 0 
for an n gN depending on each x in . 

Under certain conditions, reductions can be “perturbed” to obtain new reduc- 
tions easier to work with. This is expressed in the BPL. 

Theorem 1. Basic Perturbation Lemma - Let (f,g,h): ZZ* C* be a 

chain complex reduction and — > IZ* a perturbation of the differential 

du* satisfying the nilpotency condition with respect to the reduction (f,g,h). 
Then, a new reduction (/', g' , h') : D'^ C* can be obtained where the underlying 
graded groups of and D'^ (resp. C* and C'^) are the same, but the differentials 
are perturbed: d^'^ = do^ + 5D^,dc’^ = dc^ + Sc^, and <5c* = f4>5D^,g; f = f4>; 
g' = {I- htfSoffig; h' = h(t>, where (f = ^)*- 

The BPL is a key result in algorithmic homological algebra (in particular, it 
is crucial for EAT [15] and Kenzo [5]). It ensures that when a perturbation 
is discarded (usually in chain complexes of infinite nature), a new reduction 
between chain complexes can be algorithmically obtained and thus the process 
to obtain a chain complex with computable homology can be implemented in a 
symbolic computation system. The BPL first appeared in [16] and was rewritten 
in modern terms in [3]. Since then, plenty of proofs have been described in 
the literature (see, for instance, [7,14]). We are interested in a proof due to 
Sergeraert [14] . This proof is divided into two parts: 

Part 1. Let if be ■ From the BPL hypothesis, the following 

equalities are proved: ifh = hfi; if = 1 — = 1 — iphSu^ = 

1 - h(f6D^; 4> = I - So:^h4) = 1 - (fSo^h = 1 - SD^iph. 

Part 2. With these equalities, it is possible to give a collection of lemmas pro- 
viding the new reduction between the chain complexes (and therefore producing 
the algorithm associated to the BPL). 

In the rest of the paper, we focus on the second part. The collection of 
lemmas will be now presented, and later the sketch of a proof, which combines 
these lemmas, will be given. The sketch of the proof shows the constructive 
nature of the proof, which would permit us to obtain an algorithm from it. In 
the following sections we will explain the different attempts we have studied to 
implement the proofs of these lemmas. 

Lemma 1. Let (f,g,h): ZZ* C* be a chain complex reduction. There exists 
a canonical and explicit chain complex isomorphism between ZZ* and the direct 
sum ker(g/) 0 C*. Ln particular, F: im{gf) C* and F~^ : C* ^ im{gf), 
defined by F{x) = f{x) and F~"^{x) = g{x), are inverse isomorphisms of chain 
complexes and im{gf) = ker(Z(Z£)^ — gf). 

Let us denote by inC]jer(p) the canonical inclusion homomorphism 
inCker(p) • ker(p) ^ IZ* given hy x x, with p = doa^h + hdoa,- It is well 
defined since ker(p) is a chain subcomplex of ZZ*. 
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Lemma 2. Let I?* be a chain complex, h: I?* — > D* (degree 1) a homomor- 
phism of graded groups, satisfying hh = 0 and hdo^^h = h. Let p = do^,h-\- hdo^, 
(from the reduction properties in Definition 2 follows that idoa, —p = gf)- Then 
{idoi, ~ P: inciter(p) ) ^) is a reduction from D* to ker(p). 

Lemma 2 is used to give a (very easy) constructive proof of the following result. 

Lemma 3. Assuming the conditions of the BPL, and the equalities of Part 
1, there exists a canonical and explicit reduction D'^ ker(p'), where p' = 
do'^h' + h' do'^. 

Lemma 4. Assuming the conditions of the BPL, and the equalities of Part 1, 
there exists a canonical and explicit isomorphism of graded groups between ker(p) 
and ker(p'), where p = + hdo^. and p' = do'^^h' + h'do’^- 

Lemma 5. Let A* be a chain complex, B^ a graded group and F \ A^f ^ B^f, 

■. B^ ^ A^ inverse isomorphisms between graded groups. Then, the graded 
group homomorphism (degree -1) ds^ '■= FdA^,F~^ is a differential on B^ such 
that F and F~^ become inverse isomorphisms between chain complexes. 

Lemma 6. Let (f,g,h): A* ^ B^ be a reduction and F: B^ ^ a chain 
complex isomorphism. Then {F f,gF~^ ,h) is a reduction from A* to C*. 

Sketch of the BPL proof - By applying Lemma 3, a reduction D(, ker(p') 
is obtained. Then, by Lemma 4, a graded group isomorphism between ker(p') and 
ker(p) is built. Now, from Lemma 1, one can conclude that ker(p) = ker(ic?£)^ — 
gf) = im{gf) = C*, and an explicit isomorphism of graded groups between 
ker(p') and C* is defined (by composition). The differential of ker(p') has to be 
transferred to C* by applying Lemma 5, giving a new chain complex C'^, with 
the property that ker(p') = as chain complexes. By applying Lemma 6 to 
^ ker(p') and ker(p') = C^, an explicit reduction from to C( is obtained. 
When the homomorphisms obtained in the different lemmas are consecutively 
composed, the equalities in the BPL statement are exactly produced. 

3 A Symbolic Approach 

Our first approach consists in considering the objects in the statements (the 
homomorphisms) as generic elements of an algebraic structure where equational 
reasoning can be carried out. The idea is to identify, for instance, the elements of 
a ring of homomorphisms with the elements of a generic ring. Then, calculations 
in this ring are identified with proof steps in the reasoning domain (homomor- 
phisms in the example). We call this a symbolic approach since homomorphisms 
are represented simply by symbols (as elements of a generic ring) without refer- 
ence to their nature as functions. In our case, one of the additional difficulties of 
the proofs we intend to implement is that most of them require the properties of 
the various domains (with also elements of different nature and type) involved 
in the proof; but when trying to implement mathematics in computers, an ab- 
straction process is always needed to produce the translation of elements of the 
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computer system employed into the elements of mathematics. This process is of 
great importance, since it may clarify what has been done and to which extent 
we can rely on the results obtained in the computer, and will be briefly described 
at the end of this section; for this symbolic approach, the abstraction process 
can lead to identify the different structures embedding homomorphisms with a 
simple structure embedding all of them; the idea will be again used in Section 5 
and its importance will be observed also in Section 6. 

The proof of Lemma 2 illustrates most of the problems that have to be solved: 
the implementation of complex algebraic structures and the implementation of 
homomorphisms. In addition, one must work with the homomorphisms in two 
different levels simultaneously: equationally, like elements of an algebraic struc- 
ture, and also like functions over a concrete domain and codomain. These reasons 
made us choose this lemma to seek the more appropriate framework. Along this 
section this framework is precisely defined in the symbolic approach, then the 
proved lemmas are explained and finally some properties of this framework are 
enumerated^. 

The following abstractions can be carried out: 

~ The big chain complex (D*,c?£)^) is by definition a graded group with a 
differential operator, and (kerp, do^) is a chain subcomplex of it. The endo- 
morphisms of (I?*, du*) are the elements of a generic ring R. 

— Some special homomorphisms between and (kerp, and en- 

domorphisms of (ker p,di)*) are seen as elements of R (for instance, the 
identity, the null homomorphism or some contractions). 

Some of the computations developed under this construction of a generic ring 
can be then identified with some parts of the proof of Lemma 2. On the other 
hand, some other properties can not be proved in this framework since some 
(relevant) information about the structures involved and their properties is lost. 
This framework, being too generic, permits to avoid the problems of the concrete 
implementation of homomorphisms. 

We will now give an example of how some of the properties having to be 
proved in the lemma can be represented in this framework. According to Def. 2 
we have to prove the 5 characteristic properties of the reduction given in the 
conclusion of the lemma. From the five equalities, two fit in this framework and 
can be derived equationally inside of it. The first one is property (5), i.e. 

hh = 

The proof is trivial since the statement follows directly from premises of 
Lemma 2 and its proof can be implemented as in the mathematical proof. The 
second example of a proof that can be given inside this framework is property 
(3), i.e. 

if hdh = h and hh = 0 and p = dh + hd then (lij — p)h = Or, 
whose implementation in Isabelle can be given as 
^ A similar pattern will be followed in the other approaches. 
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lemma (in ring) property-three: assumes d G carrier R and h G carrier R 
and h* h = 0 and h * d * h = h and p = d*h + h*d 
shows (1 — p) * h = 0 

proof - from prems show fthesis by algebra qed 

Some comments on this proof: firstly, regarding the accuracy of the statement 
and, again, the abstraction process mentioned before, it should be pointed out 
that from the comparison of the proposed lemma in Isabelle and the prop- 
erty stated in Lemma 2 one difference is observed; namely. Lemma 2 says 
(idu* — = Ohom£)*kerp whereas the Isabelle proof corresponds exactly to 

(idu* —p)h = OhomD* D* since there is only one ring involved in the Isabelle con- 
text. This is not a problem in this concrete equality since the value of Ohom z?* kerp 
and Ohom D* D* is equal at every point (because ker p is a graded subgroup of 
D*); so far, the proof implemented in Isabelle, although having a formal differ- 
ence with the original proof, can be considered to be an exact implementation 
of the mathematical proof. Nevertheless, this kind of situation is the one that 
will lead us to seek a more appropriate environment where the different domains 
and algebraic structures can be represented. 

It is also worth to emphasize the tool support for this style of reasoning: 

1. use of locales is of advantage since it clarifies the syntax, shortens the proof 
and creates contexts with local assumptions; in our case just by adding (in 
ring) in our lemma a specific context is built where i? is a generic ring and 
all the theorems proved in the existing ring locale appear like facts. 

2. the algebra tactic valid for rings automates proofs looking for a normal form 
of the given expression (0, in this case). 

This approach has some advantages. First of all, it is quite simple and intuitive, 
which has the consequence that proofs are quite close to the mathematical proofs 
obtained and can be easily understood. As will be seen in Section 4, when more 
elaborate approaches are discussed, it is also possible that the size of the proofs 
turns them into something unfeasible. Moreover, Isabelle has among its stan- 
dard libraries enough theories to produce proofs in the context of the symbolic 
approach in a completely automatic way; these generic proofs can be used where 
only equational reasoning is required. In addition to this, the basic idea of this 
approach will be useful in Sections 5 and 6. 

There are also some drawbacks of this method. Firstly, we cannot prove the 
other properties needed to complete the implementation the proof of the lemma. 
They can not be proved, since information about the domain of the homomor- 
phisms or about the concrete definition of the homomorphisms in such domains is 
required. For instance, it is not possible to derive with the tools of this framework 
that = 0. A second disadvantage observed is the high level of abstraction 

required to pass from the mathematical context to the given context in Isabelle. 
The type assigned to homomorphisms in this framework, where they are consid- 
ered ring elements, is just a generic type a, whereas something more similar to 
the mathematical definition of homomorphism would be at least desirable (for 
instance, a ^ (3). In particular, neither the differential group {D^, dDif) nor the 
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elements of the domain appear. Therefore, the conceptual distance between 
Isabelle code and the mathematical content is too large. From a more practical 
point of view, the previous discussion on types shows that the computational 
content of homomorphisms (that is to say, their interpretation as functions) is 
lost, which prevents code extraction. 



4 A Set Theoretic Approach 

The previous approach offers a high level of abstraction but is insufficient to 
prove our theorems. In this section we present a framework where the algebraic 
structures are again represented by records, but homomorphisms are now rep- 
resented as functions. 

There are two main components in this framework. One is the algebraic struc- 
tures involved and the other one is the homomorphisms between these structures. 
In Isabelle, declarations of constants (including algebraic structures or homo- 
morphisms) consist of a type^ and a defining axiom. Algebraic structures are 
implemented over extensible record types (see [11]); this permits record subtyp- 
ing and parametric polymorphism, and thus algebraic structures can be derived 
using inheritance. As an example, a differential group can be defined in Isabelle 
as 



record a dijf -group = a monoid + 
diff :: a ^ a 

diff-group C = ab-group C A diff G horn CCA 
V a; G carrier C. diff diff x = one C 

For homomorphisms, again a type and a definition must be declared. In the 
Isabelle type system all functions are total, and therefore homomorphisms (which 
are partial functions over generic types) are implemented through total functions; 
the homomorphisms between two given algebraic structures will be the set of all 
total functions between two types, for which the homomorphism axioms hold^ 

horn [(a, 9) monoidscheme, (fd, a) rnonoidscheme] (a ^ f3) set 
horn AS = {/. / G carrier A carrier B A f{x *a v) = {fx) *b ifu)} 

Since in Isabelle equality (=) is total on types, problems arise when comparing 
homomorphisms (or partial functions, in general). A way of getting out of this 
situation is to use “arbitrary”, which denotes (for every type) an arbitrary but 
unknown value. Doing so is sound, because types are inhabited. Partial functions 
can be simulated by assigning them to “arbitrary” outside of their domain. 

With these definitions we have implemented the complete proof of Lemma 1. 
This proof takes advantage of the above mentioned inheritance among algebraic 
structures, starting from sets, with the definition of a bijection between sets, and 
then introducing the inherited structures step by step. Following this scheme, 

^ In Isabelle syntax, / :: q => P denotes a total function from type a to type p. 

® In Isabelle syntax, {x.f{x)} denotes set comprehension. 
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800 lines of Isabelle code were needed to both specify the required structures 
and implement the proofs, and a readable proof was obtained. 

We would like to point out the following about this approach: 

1. A higher degree of accuracy (in comparison to the previous approach) has 
been obtained; now the relationship between the objects implemented in the 
proof assistant and the mathematical concepts present in the proof is much 
clearer. 

2. The representation of algebraic structures in Isabelle and Kenzo is performed 
in the same way, using records where each field represents an operator. On 
the other hand, homomorphisms have a simpler representation in Isabelle 
since they are just elements of a functional type whereas in Kenzo they are 
also records, allowing that way to keep explicit information over their domain 
and codomain. 

3. Converting homomorphisms into total functions by the use of “arbitrary” 
makes things a bit more complex. From the formal point of view, it is dif- 
ficult to identify a homomorphism containing an arbitrary element, i.e., a 
conditional statement “if x € G then fx else arbitrary” , with any mathemat- 
ical object; there is a gap in the abstraction process that cannot be directly 
filled. A solution to clarify this process by identifying the elements outside 
the domain with a special element of the homomorphism’s codomain will be 
proposed in Section 5; with this idea are avoided the non defined values of 
the total function representing a concrete homomorphism. This solution has 
been proposed before and its disadvantages are well known, but making a 
careful use of it can make mechanization easier. 

4. Homomorphisms are represented by conditional statements, and working 
with n homomorphisms at the same time one has to consider 2” cases. There 
are two solutions to this problem. The first one consists in enhancing the 
homomorphisms with an algebraic structure allowing to reason with them 
like elements of this structure in an equational way (for instance, an abelian 
group or a ring). With this implementation, proofs can sometimes avoid to 
get into the concrete details of the representation of homomorphisms in the 
theorem prover. To some extent this can be understood as the development 
of a new level of abstraction; some steps (or computations) are developed at 
the level of the elements of the homomorphisms domains whereas some are 
developed at the level of the structure where homomorphisms are embedded. 
This forces to implement proof steps more carefully and also to make a 
correct choice of the homomorphisms that can be provided with an algebraic 
structure, and will be discussed in Section 5. A second possible solution not 
implemented yet using equivalence classes will be mentioned as future work 
in Section 7. 

5 A Homomorphism Approach 

If we capitalize the advantages of both the symbolic approach and the set the- 
oretic approach and we combine them carefully, it is possible to obtain a new 
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framework where the level of abstraction is as suitable as in the set theoretic ap- 
proach and the degree of mechanization is as high as in the symbolic approach. 
The idea is to develop a structure where the domain of the homomorphisms 
and also the homomorphisms can be found at the same time, with homomor- 
phisms represented by elements of functional type (or something similar), which 
would allow working with them at a concrete level, but with the same homomor- 
phisms being part of an algebraic structure. Since various algebraic structures 
are involved in the problem (at least (I?*,(iD*) and (kerp, )), there is not a 
simple algebraic structure containing all the homomorphisms appearing in the 
problem. Clearly endomorphisms of (I?*, du*) form a ring, and also the ones in 
(kerp, d_D*), as well as the homomorphisms from (D*, du*) into (kerp, dD:^) form 
an abelian group; the automation of proofs in such a complicated environment 
would be hard; some ideas will be proposed in Section 7. 

Another possible solution is explained in this section. It involves consider- 
ing just one simple algebraic structure where all the homomorphisms can be 
embedded, and then develop tools allowing to convert a homomorphism from 
this structure into one of the underlying ones. Taking into account that kerp 
is a substructure of D*, we will consider as our only structure the ring of en- 
domorphisms R = hom(D*, du*) (D*, do*). Later we will introduce the tools 
allowing to convert homomorphisms from R into homomorphisms, for instance, 
of hom(kerp, do*) (kerp, do*), but just to illustrate the benefits of this approach 
we give a brief example here: 

Example 1. Proving the fact “assumes d G hom(I?*, do*) (D*, do*) and h G 
hom(D*, do*) (D*, do* ) shows p = dh + hd € hom(Z)*, do* ) (D*, dD^y\ due to 
partiality matters, requires several reasoning steps. When providing homomor- 
phisms with an algebraic structure this is a trivial proof, since rings are closed 
under their operations. □ 

In order to embed homomorphisms into a ring, it is necessary to choose carefully 
the elements and also the operators. Firstly, there can be only one represen- 
tant for each homomorphism, and here partiality appears again, since otherwise 
both Ax. (one G) and Ax.(if x G G then one G else arbitrary) could be iden- 
tities in this ring. Secondly, operators must be closed over the structure, and 
thus they rely strongly on the chosen representation for homomorphisms. With- 
out going in further depth, we decided to consider the carrier of the ring R 
formed by the completions Ax. (if x G G then /x else one G), because then the 
generic composition operator o can be used in Isabelle (whereas this was not 
possible with the extensional functions based on “arbitrary” in Isabelle). At a 
second stage, we had to implement the tools allowing to convert an element 
of hom(I?*, du*) (D*, dc*) into one of, for instance, hom(kerp, du*) (kerp, do*) 
(under precise conditions). This would allow to implement proofs for facts such 
as (id —p, D, kerp) o {h,D,D) = (0,D,kerp) (property (3) in Def. 2, needed for 
Lemma 2) in a human readable style such as^: 

^ The • • • are just an abbreviation meaning “the previous expression” in sequential 
calculations. 
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Example 2. assumes (p, D, D) o (ft,, D, D) = (ft, D, D) 
shows (id —p, D, kerp) o (ft, D, D) = (0, D, kerp) 

proof - 

have (id — p, D, D) o (ft, D, D) = ((id D, D) — {p, D, D)) o (ft, D, D) 

(...) 

also have • • • = {0,D, D) 

finally have one: (id — p, D, D) o (ft, D, D) = (0, D, D) 
from prems have two: im(id— p) C kerp 
from one and two 

have ((id —p, D, D) o (ft, ft?, D) = (0, D, D)) = ((id — p, D, kerp) o (ft, D, D) = 
(0,U,kerp)) 

then show (id — p, D, kerp) o (ft, D, D) = (0, D, kerp) qed □ 

In order to obtain this degree of expressiveness, two major modifications must 
be made. The first one is related to the implementation of homomorphisms. The 
information about their domain and codomain must be explicit, otherwise it 
is not possible to convert them from (f,D,D) to (/,!?, kerp). Secondly, some 
lemmas allowing to modify these triples must be introduced (and proved) in 
Isabelle. These lemmas permit to change the domain and codomain of homo- 
morphism provided that certain conditions are satisfied; when the composition 
of two homomorphisms is equal to a third one, the domain and codomain of 
the three homomorphisms can be changed and the equality holds. This collec- 
tion of lemmas can be summarized in the following one, a generic version of 
all of them where all the algebraic structures (domains and codomains of the 
homomorphisms) can be changed: 

Lemma 7. Laureano’s Lemma- Let {g,C,D) and (f,A,B) be two homomor- 
phisms between chain complexes satisfying {g, C, D)o{f, A, B) = (ft, A, D) and let 
A' be a chain subcomplex from A, B' a chain subcomplex from C , im/ contained 
on B' , and imft contained on D' . Then {g,C ,D') o [f,A',B') = {h,A',D'). 

With this lemma and the new proposed representation for homomorphisms a 
framework with the following advantages is built. From the point of view of ca- 
pability, it is possible to implement all the properties needed for Lemma 2. It 
should be also emphasized that the size of the proofs is manageable and some- 
times the proofs require some human guidance in order to finish. Moreover, the 
framework can be transferred to other problems dealing with homomorphisms 
and particular reasoning about them. Embedding homomorphisms (even be- 
tween different algebraic structures) in only one algebraic structure can help to 
easily implement proofs of properties about these homomorphisms (and avoids 
the implementation of more elaborated algebraic structures); moreover, Lemma 7 
can be easily generalized for compositions of n homomorphisms. From the formal 
point of view, all the computations are carried out in this algebraic structure 
and all the operations needed can be identified as simplifications inside the ring, 
or applications of Lemma 7; the abstraction process from the implemented proof 
to the mathematical proof can be accurately defined. 

On the other hand, the amount of concepts that need to be mechanized is 
rather large. In addition to this, we have observed that the implementation of 
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homomorphisms as records sometimes slows down the interactive proof steps. A 
likely cause for this loss of performance are inefficiencies in the record package 
of Isabelle2003®. A record encoding a homomorphism is a rather large data 
structure and contains a lot of redundant information. For instance, in / : Z?* ^ 
ZZ* , the corresponding record contains four copies of ZD* , and ZD* itself is already 
a quite large record. It appears that when several homomorphism are involved 
in a proof, the redundancies cause a slowed response time of the interactive 
environment. 



6 Instantiating Locales 

A final method based on the instantiation of locales (see [1]), a tool recently 
implemented in Isabelle that could be of great help for this kind of problems, 
is also considered. Locales, which are light-weight modules, define local scopes 
for Isabelle; some fixed assumptions are made and theorems can be proved from 
these assumptions in the context of the locale. 

With the instantiation of locales it is not possible to define generic frame- 
works, but the method has a great expressiveness for concrete problems. The ap- 
proach presented in this section is based to some extent on the ideas introduced 
in the first approach, considering homomorphisms embedded in an algebraic 
structure, but with the clear advantage that now several algebraic structures 
can be defined at the same time (this will allow us to introduce rings R and Z?', 
abelian groups A and A' , and so on) and the elements of these structures can 
be instantiated with their real components. For instance, R could be instanti- 
ated with hom(ZD*, (Zd*) (ZD*,c?d*) as carrier set and the usual composition o as 
product, R' with carrier hom(kerp, dD^^) (kerp, and operation o as product, 
A' with carrier hom(ZD*, dD■^) (kerp, c?d*) and so on. This permits to work with 
homomorphisms at two different levels. In a first one, they can be considered 
as elements of the algebraic structures and the computations between the ele- 
ments of these algebraic structures are identified with the steps of the proofs. In 
the second level, the operations of the algebraic structures can be instantiated 
to their definition (for instance, “mult = o” or “sum = Xfg.Xx.fx *d gx”) as 
well as the structures (in our case, the differential groups or chain complexes), 
in order to complete the proof steps requiring this information (for instance, 
P\kerp^ = 0). The structure of the locale needed to implement the proofs of 
Lemma 2 in Isabelle would now look as follows: 

locale hom-completiori-environment = comm-group G + comm-group K + 
ring R + ring RO + comm_group A + comm-group AO + var p + 
assumes R = (carrier = hom-complection G G, mult = op o, one = ■ ■ ■) 
and R' = . . . 
defines K = kerp 

® These have been removed in the latest release, Isabelle2004, but we have not yet 
ported our proofs. 
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First the structures (the variables) needed for the local scope are fixed and then 
their components are defined. Once all these assumptions have been made, the 
statement of lemmas will have the following appearance®: 

lemma (in hom-complection-environment) reduction-property-one: 

assumes p G carrier R 

show (one RQspJo (Xx .if x G carrier kerp then idx else one kerpj = one R' 

By specifying (in hom-Complection_environment) we introduce all the facts 
present in the locale hom-complection-cnvironment and then they can be used as 
theorems in our lemma. The previous statement corresponds to property (2) of 
Def. 2 specialized for Lemma 2. Using these tools, we get a framework very close 
to the one in the mathematical lemmas. Moreover, proofs can be mechanized in 
a readable style quite similar to the mathematical proofs, and only some repeti- 
tive steps have to be added to explicitly obtain the value of the fields of the fixed 
algebraic structures when needed; proofs are easy to read and similar to the ones 
made “by hand” . All these features make this framework quite satisfactory. On 
the other hand, from the formal point of view there is also a drawback. The 
operation o appearing in the statement of the lemma can not be identified with 
any of the operations of the framework. It composes elements of different alge- 
braic structures such as hom(kerp, (kerp, hom(D*,di)*) (kerp, do*) 
but whose relation has not been made explicit at any point inside the locale. The 
composition o is valid in this case since all the elements of the carrier sets are im- 
plemented trough functions, and therefore they can be composed. Even in other 
cases, the operation relating the different structures could be implemented, but 
there is no mathematical correspondence for this external op o; this produces a 
gap in the abstraction function that permits to identify mathematical objects 
with their representation in the theorem prover. 



7 Conclusions and Further Work 

A design “from bottom to top” has been used to implement the proof of the BPL 
in Isabelle. Instead of considering algebraic topology as a whole and formalizing 
generic concepts of this theory, our approach started from a very concrete (and 
relevant) lemma (the BPL) in this area that could allow to estimate the real 
capabilities from Isabelle to work with differential structures and their homo- 
morphisms. We also started from a simple attempt (in Section 3) that gave us 
helpful ideas for the following approaches about what tools were directly avail- 
able in Isabelle and those other tools that should be supplied to the system. 
The Isabelle tools introduced in Section 4 were not enough to produce readable 
proofs. Then, in Section 5, an original framework where several computations 
with homomorphisms can be carried out was suggested. The implementation of 
these tools led us to the problem of what changes must be made into partial 



In Isabelle syntax, 0a is a reference to the “minus” operation in the third structure 
of our locale definition, ring R. 
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functions in order to provide them with an enveloping algebraic structure. Our 
choice was to introduce completions, identifying the elements outside the do- 
main of the partial function with a distinguished element, the identity of the 
image structures. Similarly, the extensional functions already available in Is- 
abelle could have been used, just with some modifications in the composition 
of functions. The result is that a generic algebraic structure can not be directly 
defined from the homomorphisms since there are multiple functions representing 
each of them. In particular, it was shown that inside this framework implemen- 
tations could be given for all the properties in Lemma 2, and that from the 
formal point of view, there was a clear abstraction function between the ob- 
jects implemented in Isabelle and the mathematical objects required. Finally, in 
Section 6, the possibilities of a recent Isabelle feature (instantiation of locales) 
were studied; this new tool fits with several problems and so far would allow to 
implement all the proofs of the lemmas in Section 2. We have implemented a 
proof of all the properties in Lemma 2. From this study, we conclude that the 
approach based on the instantiation of locales is the most promising for further 
developments in homological algebra. 

Some problems remain open, and more work has yet to be done: 



1. To complete the proofs of all the lemmas in Section 2 and then give a com- 
plete implementation of the proof of the BPL. The proof obtained should 
satisfy all the requirements needed to extract a program from it. At this 
point, we could explore the possibilities of extracting code in Isabelle (see, 
for instance, [2]). In addition to this, a comparison will be needed with other 
provers where code extraction has been used in non trivial cases (see, for 
instance, the work on Buchberger’s algorithm in Coq [17]). 

2. As it has been explained in Section 4, partial functions can be implemented 
by using equivalence classes. Actually, the solutions proposed here (using 
completion functions or the extensional functions implemented in Isabelle) 
are just different ways of giving elements to represent these (non-implemen- 
ted) equivalence classes. The implementation would force to redefine all the 
concepts regarding homomorphisms (composition, identities,. . . ) but would 
produce a definitive way to deal with partial functions in the Isabelle/HOL 
system. Following the instructions given in [13], the definition should be 
quite feasible. 

3. A ringoid (see [10]) is an algebraic structure containing homomorphisms and 
endomorphisms over different algebraic structures. To give an implementa- 
tion of it could be useful for several problems in group theory. An attempt 
to introduce category theory in Isabelle has been already made (see [6]), and 
some similarities can be found between the implementation of morphisms 
given there and the representation of homomorphisms that we proposed in 
Section 5, needed to work in a more effective way with them. Specification 
of ringoids is not a complicated task in Isabelle. Nevertheless, the benefits 
and drawbacks of this new approach with respect to our third and fourth 
approaches should be carefully studied. 
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4. In order to develop algebraic topology, one of the basic concepts needed (see 
definitions in Section 2) is infinite complexes (of modules, for instance). Some 
attempts have been made to produce an implementation of them (see [8]), 
but definitive results have not been obtained yet. For their implementation, 
lazy lists or extensible records might be used, but these ideas will be studied 
in future work. 
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Abstract. We present a personal view and strategy for algorithm-sup- 
ported mathematical theory exploration and draw some conclusions for 
the desirable functionality of future mathematical software systems. The 
main points of emphasis are: The use of schemes for bottom-up math- 
ematical invention, the algorithmic generation of conjectures from fail- 
ing proofs for top-down mathematical invention, and the possibility to 
program new reasoners within the logic on which the reasoners work 
( “meta-programming” ). 



1 A View of Algorithm-Supported 
Mathematical Theory Exploration 

Mathematical theories are collections of formulae in some formal logic language 
(e.g. predicate logic). Mathematical theory exploration proceeds by applying, 
under the guidance of a human user, various algorithmic reasoners for producing 
new formulae from given ones and aims at building up (large) mathematical 
knowledge bases in an efficient, reliable, well-structured, re-usable, and flexible 
way. Algorithm-supported mathematical theory exploration may also be seen as 
the logical kernel of the recent field of “Mathematical Knowledge Management” 
(MKM), see [10] and [5]. In the past few decades, an impressive variety of results 
has been obtained in the area of algorithm-supported reasoning both in terms of 
logical and mathematical power as wells as in terms of software systems, see for 
example, ALF [18], Automath [12], COQ [2], Elf [21], HOL [13], IMPS [1], 
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Isabelle [20], Lego [17], Mizar [3], Nuprl [11], Omega [4]. We also made an 
effort in this area, see the Theorema [9] system. 

However, as a matter of fact, these reasoning systems are not yet widely 
used by the “working mathematicians” (i.e. those who do math research and/or 
math teaching). This is in distinct contrast to the current math (computer al- 
gebra/numerics) systems like Mathematica, Maple, etc. which, in the past 
couple of years, have finally found their way into the daily practice of math- 
ematicians. In this paper, we want to specify a few features of future systems 
for algorithm-supported mathematical theory exploration which, in our view, 
are indispensable for making these systems attractive for the daily routine of 
working mathematicians. These features are: 

— Integration of the Functionality of Current Mathematical Systems: Reasoning 
systems must retain the full power of current numerics and computer algebra 
systems including the possibility to program one’s own algorithms in the 
system. 

— Attractive Syntax: Reasoning systems must accept and produce mathemat- 
ical knowledge in attractive syntax and, in fact, in flexible syntax that can 
be defined, within certain limitations, by the user. 

— Structured Mathematical Knowledge Bases: Reasoning systems must provide 
tools for building up and using (large) mathematical knowledge libraries in 
a structured way in uniform context with the algorithm libraries and with 
the possibility of changing structures easily. 

— Reasoners for Invention and Verification: Reasoning systems must provide 
reasoners both for inventing (proposing) and for verifying (proving, disprov- 
ing) mathematical knowledge. 

— Learning from Failed Reasoning: The results of algorithmic reasoners (in par- 
ticular, algorithmic provers) must be post-processable. In particular, also the 
results of failing reasoning attempts must be accessible for further (algorith- 
mic) analysis because failure is the main source of creativity for mathematical 
invention. 

— Meta-Programming: The process of (algorithm-supported) mathematical 
theory exploration is nonlinear: While exploring mathematical theories us- 
ing known algorithmic reasoners we may obtain ideas for new algorithmic 
reasoners and we may want to implement them in our system and use them 
in the next exploration round. Hence, reasoning systems must allow “meta- 
programming” , i.e. the algorithmic reasoners must be programmed basically 
in the same logic language in which the formulae are expressed on which the 
reasoners work. 

I think it is fair to say that, in spite of the big progress made in the past couple 
of years, none of the current reasoning systems fulfills all the above requirements. 
In fact, some of the requirements are quite challenging and will need a lot more 
of both fundamental research and software technology. It is not the goal of 
this paper, to compare the various current systems (see the above references) 
w.r.t. to these six requirements. Rather, we will first summarize how we tried 
to fulfil the first three requirements in our Theorema system (see the web site 




238 B. Buchberger 



http://www.theorema.org/ and the papers cited the) and then, in the main 
part of the paper, we will sketch a few ideas (which are partly implemented and 
partly being implemented in Theorema) that may contribute to the other three 
requirements. 



2 Integration of the Functionality 
of Current Mathematical Systems 



Let us start from the fact that predicate logic is not only rich enough to express 
any mathematical proposition but it includes also, as a sublanguage, a univer- 
sal programming language and, in fact, a practical and elegant programming 
language. For example, in Theorema syntax, the following formula 

F{is-Grdhner-hasis[F] reduced[S-polynomial[f,g],F] = 0) (1) 

can be read as a proposition (which can be proved, by the inference rules of 
predicate logic, from a rich enough knowledge base K) but it can also be read 
as an algorithm which can be applied to concrete input polynomial sets F, like 
{x^y — X — 2, xy^ — xy + 1}. Application to inputs proceeds by using a certain 
simple subset of the inference rules of predicate logic, which transform 



is- Grdbner- basis [F] 



into a truth value using a knowledge base that contains elementary Grobner 
bases theory and the above formula (1). (Note that Theorema uses brackets 
for function and predicate application.) 

Here is another example of a predicate logic formula (in Theorema syntax), 
which may be read as a (recursive) algorithm: 



is-sorted[{)] 

is-sorted[{x)] 

is-sorted[{x,y,t)] 



x<y 

is-sorted[{y ,~z)]. 



(Formulae placed above each other should be read as conjunctions.) 

In this algorithmic formula, we use “sequence variables”, which in Theo- 
rema are written as overbarred identifiers: The substitution operator for se- 
quence variables allows the substitution of none, one, or finitely many terms 
whereas the ordinary substitution operator for the ordinary variables of predi- 
cate logic (like x and y in our example) allows only the substitution of exactly 
one term for a variable. Thus, for example. 



is-sorted[{l^ 2, 2, 5, 7)], 

by using the generalized substitution operator for the sequence variable z, may 
be rewritten into 
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1 < 2 
A 

is-sorted[{2, 2, 5, 7)], 
etc. 

(The extension of predicate logic by sequence variable is practically useful 
because it allows the elegant formulation of pattern matching programs. For 
example, the formula p[tJ, w, x, w,y] = 1 says that p yields 1 if two arguments are 
identical. The meta-mathematical implications of introducing sequence variables 
in predicate logic are treated in [16].) 

Hence, Theorema has the possibility of formulating and executing any 
mathematical algorithm within the same logic frame in which the correctness 
of these algorithms and any other mathematical theorem can be proved. In ad- 
dition, Theorema has a possibility to invoke any algorithm from the underlying 
Mathematica algorithm library as a black box so that, if one wants, the en- 
tire functionality of Mathematica can be taken over into the logic frame of 
Theorema. 

3 Attractive Syntax 

Of course, the internal syntax of mathematical formulae on which algorithmic 
reasoners may be based, theoretically, is not a big issue. Correspondingly, in 
logic books, syntax is kept minimal. As a means for human thinking and ex- 
pressing ideas, however, syntax plays an enormous role. Improving syntax for 
the formulae appearing in the input and the output of algorithmic reasoners and 
in mathematical knowledge bases is an important practical means for making 
future math systems more attractive for working mathematicians. Most of the 
current reasoning systems, in the past few years, started to add functionalities 
that allow to use richer syntax. 

The Theorema system put a particular emphasis on syntax right from 
the beginning, see the papers on Theorema on the home page of the project 
http://www.theorema.org/. We allow two-dimensional syntax and user-prog- 
ramming of syntax, nested presentation of proofs, automated generation of nat- 
ural language explanatory text in automated proofs, hyperlinks in proofs etc. In 
recent experiments, we even provided tools for graphical syntax, called ’’logico- 
graphic” syntax, see [19]. The implementation of these feature was made com- 
paratively easy by the tools available in the front-end of Mathematica which 
is the programming environment for Theorema. Of course, whatever syntax is 
programmed by the user, the formulae in the external syntax is then translated 
into the internal standard form, which is a nested Mathematica expression, 
used as the input format of all the Theorema reasoners. For example, 

Vx.y.z (^is-sorted[{x,y,z)]^ is~sorted[{y,z)]) 
internally is the nested prefix expression: 
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'T'^ForAll[ 

•range[*simpleRange[*var[a:]] , 

•simpleRange [• var [y] ] , 

•simpleRange[*var[*seq[z]]]], 

True, 

™Iff[is-sorted[™Tuple[*var[a;], *var[y], •var[*seq[z]]]], 

And LessEqual[* var [x] , • var [y ] ] , 

is-sorted Tuple [• var [y] , • var [*seq [z] ] ] ] ] ] ] 

Translators exist for translating formulae in the syntax of other systems to 
the Theorema syntax and vice versa. A translator to the recent Omdoc [15] 
standard is under development. 



4 Structured Mathematical Knowledge Bases 

We think that future math systems need “external” and “internal” tools for 
structuring mathematical knowledge bases. 

External tools are tools that partition collections of formulae into sections, 
subsections, etc. and maybe, in addition, allow to give key words like ‘Theorem’, 
‘Definition’ etc. and labels to individual formulae so that one can easily reference 
and re-arrange individual formulae and blocks of formulae in large collections of 
formulae. Such tools, which we call “label management tools”, are implemented 
in the latest version of Theorema, see [23] . 

In contrast, internal structuring tools consider the structure of mathemati- 
cal knowledge bases itself as a mathematical relation, which essentially can be 
described by “functors” (or, more generally, “relators”). The essence of this func- 
torial approach to structuring mathematical knowledge can be seen in a formula 
as simple as 

In this formula, the predicate ~ is defined in terms of the predicate <. We 
may want to express this relation between ~ explicitly by defining the higher- 
order binary predicate AR: 




We may turn this “relator” into a “functor” by defining, implicitly, 

V< (aR [<] [x, y] 44> ^ ^ ^ ^ . 

(In this paper, we do not distinguish the different types of the different variables 
occurring in formulae because we do not want to overload the presentation with 
technicalities.) 
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Functors have a computational and a reasoning aspect. The computational 
aspect of functors already received strong attention in the design of programming 
languages, see for example [14]: If we know how to compute with < then, given 
the above definition of the functor AF, we also know how to compute with the 
predicate AF’[<]. 

However, in addition, functors have also a reasoning aspect which so far has 
received little attention in reasoning systems: For example, one can easily prove 
the following “conservation theorem” : 

(ar\~.<] 

I is-transitive[<] 



is-transitive \ 



where 



V< ( is-transitive[<] Vx,y,z(^ 



x<y 

y<z 



X < z] 



In other words, if we know that < is in the “category” of transitive predicates 
and ~ is related to < by the relator AR (or the corresponding functor AF) then 
~ also is in the category of transitive predicates. Of course, studying a couple of 
other conservation theorems for the relator AR, one soon arrives at the following 
conservation theorem 



( AR[r^,<] 

I is-quasi-ordering[<] 



is- equivalence [^ 



which is the theorem which motivates the consideration of the relator AR. 

After some analysis of the propositions proved when building up mathemat- 
ical theories, it should be clear that, in various disguises, conservation theorems 
make up a considerable portion of the propositions proved in mathematics. 

Functors for computation, in an attractive syntax, are available in Theo- 
REMA, see for example the case study [6]. Some tools for organizing proofs of 
conservation theorems in Theorema where implemented in the PhD thesis [24] 
but are not integrated into the current version of Theorema. An expanded 
version of these tools will be available in the next version of Theorema. 



5 Schemes for Invention 

Given a (structured) knowledge base K (i.e. a structured collection of formulae 
on a couple of notions expressed by predicates and functions), in one step of 
the theory exploration process, progress can be made in one of the following 
directions: 

— invention of notions (i.e. axioms or definitions for new functions or predi- 
cates), 

— invention and verification of propositions about notions, 

— invention of problems involving notions, 

— invention and verification of methods (algorithms) for solving problems. 
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The results of these steps are then used for expanding the current knowledge 
base by new knowledge. For verifying (proving propositions and proving the 
correctness of methods), the current reasoning systems provide a big arsenal of 
algorithmic provers. In the Theorema system, by now, we implemented two 
provers for general predicate logic provers (one based on natural deduction, one 
based on resolution) and special provers for analysis, for induction over the 
natural numbers and tuples, for geometric theorems (based on Grobner bases 
and other algebraic methods), and for combinatorial identities. We do not go 
into any more detail on algorithmic proving since this topic is heavily treated 
in the literature, see the above references on reasoning systems. Rather, in this 
paper, our emphasis is on algorithmic invention. For this, in this section, we 
propose the systematic use of formulae schemes whereas, in the next section, we 
will discuss the use of conjecture generation from failing proofs. In a natural way, 
these two methods go together in an alternating bottom-up/top-down process. 

We think of schemes as formulae that express the accumulated experience of 
mathematicians for inventing mathematical axioms (in particular definitions), 
propositions, problems, and methods (in particular algorithms). Schemes should 
be stored in a (structured) schemes library L. This library could be viewed as 
part of the current knowledge. However, it is conceptually better to keep the 
library L of schemes, as a general source of ideas for invention, apart from the 
current knowledge base K that contains the knowledge that is available on the 
specific notions (operations, i.e. predicates and functions) of the specific theory 
to be explored at the given stage. 

The essential idea of formulae schemes can, again, be seen already in the 
simple example of the previous section on functors: Consider the formula 

^x,y ygl) 

that expresses a relation between the two predicates < and We can make this 
relation explicit by the definition 




This scheme (which we may also conceive as a “functor”) can now be used 
as a condensed proposal for “inventing” some piece of mathematics depending 
on how we look at the current exploration situation: 

Invention of a new notion (definition, axiom): 

If we assume that we are working w.r.t. a knowledge base K in which a 
binary predicate constant P occurs, then we may apply the above scheme by 
introducing a new binary predicate constant Q and asserting 

AR[Q,P\. 

In other words, application of the above scheme “invents the new notion Q 
together with the explicit definition” 
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Invention of a new proposition: 

If we assume that we are working w.r.t. a knowledge base K in which two 
binary predicate constants P and Q occur, then we may apply the above scheme 
by conjecturing 

AR[Q,P], 



i.e. 



^Q[x,y] 44 > 



P[y,x] j ■ 



We may now use a suitable (automated) prover from our prover library and 
try to prove or disprove this formula. In case the formula can be proved, we may 
say that the application of the above scheme “invented a new proposition on the 
known notions P and Q” . 

Invention of a problem: 

Given a binary predicate constant P in the knowledge base K, we may ask 
to “find” a Q such that 

AR[Q,P]. 

In this case, application of the scheme AR “invents a problem”. The nature 
of the problem specified by AR depends on what we allow as “solution” Q. 
If we allow any binary predicate constant occurring in K then the problem is 
basically a “method retrieval and verification” problem in K: We could consider 
all or some of the binary predicate constants Q in AT as candidates and try to 
prove/disprove AR[Q, P], However, typically, we will allow the introduction of a 
new constant Q and ask for the invention of formulae D that “define” Q so that, 
using K and D, AR[Q^ P] can be proved. Depending on which class of formulae 
we allow for “defining” Q (and possible auxiliary operations), the difficulty of 
“solving the problem” (i.e. finding Q) will vary drastically. In the simple example 
above, if we allow to use the given P and explicit definitions, then the problem 
is trivially solved by the formula AR[Q, P] itself, which can be considered as an 
“algorithm” w.r.t. the auxiliary operation P. If, however, we allow only the use 
of certain elementary algorithmic functions in K and only the use of recursive 
definitions then this problem may become arbitrarily difficult. 

Invention of a method (algorithm): 

This case is formally identical to the case of invention of an axiom or def- 
inition. However methods are normally seen in the context of problems. For 
example if we have a problem 

Pi?[Q, R] 



of finding an operation Q satisfying PR in relation to certain given operations 
R then we may try the proposal 



AR[Q,P] 
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as a method. If we restrict the schemes allowed in the definition of Q (and 
auxiliary operations) to being recursive equalities then we arrive at the notion 
of algorithmic methods. 

Case Studies: 

The creative potential of using schemes, together with failing proof analysis, 
can only be seen in major case studies. At the moment, within the Theorema 
project, three such case studies are under way: One for Grobner bases theory, 
[7], one for teaching elementary analysis, and one for the theory of tuples, [8]. 
The results are quite promising. Notably, for Grobner bases theory, we managed 
to show how the author’s algorithm for the construction of Grobner bases can be 
automatically synthesized from a problem specification in predicate logic. Since 
the Grobner bases algorithm is deemed to be nontrivial, automated synthesis 
may be considered as a good benchmark for the power of mathematical invention 
methods. 

Not every formula scheme is equally well suited for inventing definitions, 
propositions, problems, or methods. Here are some examples of typical simple 
schemes in each of the four areas: 

A Typical Definition Scheme: 

'^P.Q ( alternating-quantification[Q , P] V/ 3y V, P[f,x,y,z] 




Many of the notions in elementary analysis (e.g. “limit”) are generated by 
this (and similar) schemes. 

A Typical Proposition Scheme: 



yf,g,h is-homomorphic[f,g,h] <^\/x,y{h[f[x,y]] = g[h[x], h[y]]) . 



Of course, all possible ’’algebraic” interactions (describable by equalities be- 
tween various compositions) of functions are candidates for proposition schemes. 
A Typical Problem Scheme: 



'^a,p,q 



^explicit-prohlem[A, P, Q] Va, 



P[A[x]] \ 

Q[x,A[x]] j' 



This seems to be one of the most popular problem schemes: Find a method 
A that produces, for any x, a “standardized” form A[x] (that satisfies P[A[x]]) 
such that A\x] is still in some relation (e.g. equivalence) Q with x. (Examples: 
sorting problem, problem of constructing Grobner bases, etc.) 

Two Typical Algorithm Schemes: 



( divide-and-conquer [F,c,s,g,hi, / 12 ] 

f FlA = I ^ *"[^1 'j 

^ 1 g[P[/ii[x]], P[/i 2 N]] ^ otherwise/ 
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This is of course the scheme by which, for example, the merge-sort algo- 
rithm can be composed from a merge function g, splitting functions hi, /12, and 
operations c, s that handle the base case. 



'^G,lc,df 

( critical-pair-completion[G , Ic, df\ 
/Vf (G[F] = G[E,pairs[E]]) 

Vf {G[F, 01 = F) 

'^F,ai,32,p 

( G[E, ((31,52),^)] = 



where 



/ = ^c[3i,32], hi ^trd[rd[f,gi],F], /12 = trd[rd[/, 32], E], 



r g[f, {p)\ 

y]^G[F^df[hi,h 2 ],{p) X (^{Fk,df[hi,h 2 ]) 






hi = /i2 
otherwise 



jy 



This is the scheme by which, for example, the author’s Grobner bases algo- 
rithm can be composed from the function Ic (“least common reducible”, i.e. the 
least common multiple of the leading power products of two polynomials) and 
the function df (“difference”, i.e. the polynomial difference in the polynomial 
context). The algorithm scheme can be tried in all domains in which we have a 
reduction function rd (whose iteration is called trd, “total reduction”) that re- 
duces objects / w.r.t. to finite sets F of objects. The algorithm (scheme) starts 
with producing all pairs of objects in F and then, for each pair (31,32), checks 
whether the total reduction of Zc[3i,32] w.r.t. 31 and 32 yields identical results 
hi and /12, respectively. If this is not the case, df[hi, ft-2] is added to F. 



6 Learning from Failed Reasoning 

Learning from failed reasoning can be applied both in the case of proving propo- 
sitions and in the case of synthesizing methods (algorithms). In this paper, we 
will sketch the method only for the case of method (algorithm) synthesis. 

Let us assume that we are working with some knowledge base K and we are 
given some problem, e.g. 



explicit-problem[A, P, Q], 

where the predicates P and Q are “known”, i.e. they occur in the knowledge 
base K. For example, P and Q could be the unary predicate is- finite- Grobner- 
basis and the binary predicate generate-the- same-ideal, respectively. (The exact 
definitions of these predicates are assumed to be part of K. For details see [ 7 ]). 
Then we can try out various algorithm schemes in our algorithm schemes library 
L. In the example, let us try out the general scheme critical-pair- completion, i.e. 
let us assume 

critical-pair- completion[A, Ic, df]. 

(It is an interesting, not yet undertaken, research subject to try out for this 
problem systematically all algorithm schemes that are applicable in the context 
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of polynomial domains and study which ones will work. Interestingly, in the 
literature, so far all methods for constructing Grobner bases rely on the critical- 
pair- completion scheme in one way or the other and no drastically different 
method has been found!) 

The scheme for the unknown algorithm A involves the two unknown auxil- 
iary functions Ic and df. We now start an (automated) proof of the correctness 
theorem for A, i.e. the theorem 



^ / is-finite-Grdbner-basis[A[F]] \ 
y generate-the-same-ideal[F, A[F]] j ' 

Of course, this proof will fail because nothing is yet known about the aux- 
iliary functions Ic and df. We now analyze carefully the situation in which the 
proof fails and try to guess requirements Ic and df should satisfy in order to be 
able to continue with the correctness proof. It turns out that a relatively simple 
requirements generation techniques suffices for generating, completely automat- 
ically, the following requirement for Ic 



^gi,g2 



( lp[g^ I lc[gl,g2\ 

ip[g‘A I Hg^,g‘A 

( lp[gl] I p 

yp[lp[g2]\p^ 



{lc[gl,g2] I p) 



\ 



where lp[f] denotes the leading power product of polynomial /. This is now 
again an explicit problem specification, this time for the unknown function Ic. 
We could again run another round of our algorithm synthesis procedure using 
schemes and failing proof analysis for synthesizing Ic. However, this time, the 
problem is easy enough to see that the specification is (only) met by 



Hgi,g 2 ] = lcm[lp[gi],lp[g 2 \], 

where lcm[p,q] denotes the least common multiple of power products p and q. 
In fact, the specification is nothing else then an implicit definition of Icm and we 
can expect that an algorithm satisfying this specification is part of the knowledge 
base K. 

Heureka! We managed to get the main idea for the construction of Grobner 
bases completely automatically by applying algorithm schemes, automated theo- 
rem proving, and automated failing proof analysis. Similarly, in a second attempt 
to complete the proof of the correctness theorem, one is able to derive that, as 
a possible df, we can take just polynomial difference. 

The current requirements generation algorithms from failing proof, roughly, 
has one rule. Given the failing proof situation, collect all temporary assumptions 
T[xq, . . . , A[. . .], . . .] and temporary goals G[xq, . . . m[. . . , A[. where m 
is (one of) the auxiliary operations in the algorithm scheme for the unknown 
algorithm A and xg, etc. are the current “arbitrary but fixed” constants, and 
produce the following requirement for m: 



'^x,...,y,... {T[x, ...,y,...]^ G[x, ...,m[...,y ,.. .]]). 
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This rule is amazingly powerful as demonstrated by the above nontrivial 
algorithm synthesis. The invention of failing proof analysis and requirements 
generation techniques is an important future research topic. 



7 Meta-programming 

Meta-programming is a subtle and not widely available language feature. How- 
ever, we think that it will be of utmost practical importance for the future 
acceptance of algorithm-supported mathematical theory exploration systems. In 
meta-programming, one wants to use the logic language both as an object and a 
meta-language. In fact, in one exploration session, the language level may change 
several times and we need to provide means for governing this change in future 
systems. For example, in an exploration session, we may first want to define (by 
applying the divide-and-conquer scheme) a sorting algorithm 

X 4= is- short- tuple[x] 

merge[x, sort[left[x]], sort[right[x]]] 4= otherwise 

Then we may want to apply one of the provers in the system to prove the 
algorithm correct, i.e. we want to prove 





V 



X 



f is-sorted\sort\x\] 

Y contain-the-same-elements[x , sort[x]] 



by calling, say, a prover tuple-induction 



Va; tuple-induction 



is-sorted\sort\x\] \ ^ 

contain-the-same-elements[x, sort[x\] J ’ ° ’ 



and checking whether the result is the constant ‘proved’, where Kq is the knowl- 
edge base containing the definition of sort and is-sorted and definitions and 
propositions on the auxiliary operations. 

Now, tuple-induction itself is an algorithm which the user may want to define 
himself or, at least, he might want to inspect and modify the algorithm available 
in the prover library. This algorithm will have the following structure 

tuple-induction'^ xF, K] = 

and[tuple-induction[Fx^Q , K], 

tuple-induction[F^^^^g -:^^ , append[K, 

where ^ is substitution and xq and yd are “arbitrary but fixed” constants (that 
must be generated from x, F, and K). 

Also, tuple-induction itself needs a proof that could proceed, roughly, by 
calling a general predicate logic prover in the following way 



general-prover 

'^x,F,K ( ( tuple-induction [Va,F’, K] = “proved ^ ) ( append[ind, K] \=^xF ) ) , 

where ind are the induction axioms for tuples and N denotes logic consequence. 
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Of course, the way it is sketched above, things cannot work: We are mixing 
language levels here. For example, the ‘V’ in the previous formula occurs twice 
but on different language layers and we must not use the same symbol for these 
two occurrences. Similarly, the ‘V’ in the definition of tuple-induction has to be 
different from the ‘V’ in the definition of sort. In fact, in the above sketch of an 
exploration session, we are migrating through three different language layers. 

We could now use separate name spaces for the various language layers. How- 
ever, this may become awkward. Alternatively, one has to introduce a “quoting 
mechanism”. The problem has been, of course, addressed in logic, see [22] for 
a recent discussion but we think that still a lot has to be done to make the 
mechanism practical and attractive for the intended users of future reasoning 
systems. In Theorema, at present, we are able to define algorithms and formu- 
late theorems, apply algorithms and theorems to concrete inputs (“compute”) 
and prove the correctness of algorithms and theorems in the same session and 
using the same language, namely the Theorema version of predicate logic. For 
this, the name spaces are automatically kept separate without any action needed 
from the side of the user. However, we are not yet at the stage where we could 
also formulate provers and prove their correctness within the same language and 
within the same session. This is a major design and implementation goal for the 
next version of Theorema. An attractive solution may be possible along the 
lines of [25] and [26]. 

8 Conclusion 

We described mathematical theory exploration as a process that proceeds in a 
spiral. In each cycle of the spiral, new axioms (in particular definitions), propo- 
sitions, problems, and methods (in particular algorithms) are introduced and 
studied. Both invention of axioms, propositions, problems, and methods as well 
as verification of proposition and methods can be supported by algorithms ( “al- 
gorithmic reasoners”). For this, at any stage of an exploration, we have to be able 
to act both on the object level of the formulae (axioms, propositions, problems, 
methods) and the meta-level of reasoners. We sketched a few requirements future 
mathematical exploration systems should fulfil in order to become attractive as 
routine tools for the exploration activity of working mathematicians. 

A particular emphasis was put on the interaction between the use of schemes 
(axiom schemes, proposition schemes, problem schemes, and algorithm schemes) 
and the algorithmic generation of conjectures from failing proofs as a general 
heuristic, computer-supportable strategy for mathematical invention. The po- 
tential of this strategy was illustrated by the automated synthesis of the author’s 
Grdbner bases algorithm. The ideas presented in this paper will serve as work 
plan for the next steps in the development of the Theorema system. 
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Abstract. This article presents the development of an expert system 
on detection, evaluation and treatment of hypertension (high blood pres- 
sure), together with an outline of the associated computational processes. 
It has been implemented on the computer algebra system Maple. 

The starting point is the knowledge about detection of major cardiovas- 
cular disease (CVD) risk and about detection, evaluation and treatment 
of hypertension, provided in table and algorithm format by experts from 
some well known medical societies and committees. As the drug choices 
for treating hypertension depends on whether the patient suffers, among 
other diseases, from high CVD risk or not, the expert system consists 
of two consecutive subsystems. The first one determines the CVD risk 
level, meanwhile the second one uses the output of the first one to detect, 
evaluate and, if necessary, suggest a treatment of hypertension. 

The knowledge expressed by the experts was revised and reorganized by 
the authors. Curiously, some errata were found in some of the classifica- 
tions provided in table format. 

The computational processes involved are simple because the cases are 
already separated (disjoint), so they can be translated into IF. ..THEN... 
rules that can be applied using classifications in simple procedures. 
Therefore, verification is restricted to considering a few cases (the con- 
junction of all diseases together with different CDV risks). Nevertheless, 
we think this is a very useful piece of software for practitioners, because, 
to reach, for instance, the treatment of hypertension, several messy con- 
catenated steps have to be taken. 

Keywords: Expert Systems, Hypertension, Computer Algebra Systems, 
Medical Informatics. 
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1 Introduction 

A considerable amount of work, including [1] (probably the best known, although 
not the only example) has been carried out in the field of medical rule-based ex- 
pert systems. For instance, a formal method for creating appropriateness criteria 
[2] has been developed at the RAND Health Service (Santa Monica, California): 
it is based on combining literature review and ratings from expert panels. One 
problem with the current RAND methodology is to ensure logical consistency: 
RAND researchers manually develop algorithms from ratings and re-meet with 
experts to settle inconsistencies [3] . Alternative approaches to this problem have 
been proposed e.g. in [4-6]. 

Many health organizations are now developing and using evidence-based poli- 
cies for medical care. They are created using systematic methodologies. In the 
field of major cardiovascular disease (CVD) risk and hypertension (high blood 
pressure), we can underline: the International Society of Hypertension of the 
World Health Organization (ISH-WHO), the Joint National Committee on Pre- 
vention, Detection, Evaluation and Treatment of High Blood Pressure (JNC) of 
the National Heart, Lung, and Blood Institute {U.S. Dept, of Health and Human 
Services)... [7-11]. They are not designed for retrospective evaluation of medi- 
cal practice, but as a decision-making aid. As far as we know, expert systems 
directly based on these reports in the field of hypertension haven’t been spread. 
A new proposal of expert system on the topic is detailed below. 

2 General Description 

This article extracts the information and knowledge from different sources [7- 
11] and merges it with the knowledge of the three coauthors that are MDs. Let 
us underline that one of the authors is the chief of the Hypertension Unit of 
one of the main Spanish hospitals and other of the authors is finishing his PhD 
in Medicine on this topic. The accurate knowledge representation needed to 
implement these topics has required a refinement in the details of the tables and 
algorithms provided. Finally the logic and computational processes are simple 
but sound. 

2.1 Data Acquisition 

First, different data from the patient have to be acquired. They are: 

— Blood Pressure (BP): Systolic Blood Pressure (SBP) and Diastolic Blood 
Pressure (DBP) figures. 

— Major cardiovascular disease (CVD) risk (Boolean) factors, apart from hy- 
pertension (*): obesity, dyslipidemia, diabetes melitus (DM) (f), cigarette 
smoking, physical inactivity, microalbuminuria (estimated filtration rate < 
60mL/min)(|), age (>55 for men, >65 for women), family history of pre- 
mature CVD (men age <55, women age <65). Note that hypertension is 
another CVD risk factor, but it is not a datum, as it is deduced from the 
SBD and DBP. 
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— Other cardiovascular disease (CVD) risk-related (Boolean) facts (**): target 
organ damage (TOD), associated clinical alterations (ACA), diabetes (1). 

— Other pathologies suffered by the patient (Boolean) (***): heart failure, post 
myocardial infarction, high CVD risk (2), diabetes (1), chronic kidney disease 
(3), recurrent stroke prevention. 



2.2 First Subsystem: CDV Risk Evaluation 

The patient’s SBP and DBF are used to allocate him in a (refined) category of 
BP (Normal/ Prehypertension/ Stage 1 Hypertension/ Stage 2a Hypertension/ 
Stage 2b Hypertension). This classification is intermediate between those of [91 
and of [10,11]. 

The computational processes involved are simple because the cases are al- 
ready separated (disjoint), so they can be translated into IF.. .THEN... rules, 
that can be applied using classifications in simple procedures. 

The assessment of the factors in (*) is provided by history, physical exami- 
nation, laboratory tests, electrocardiograms... 

From the refined BP category obtained and the data in (*), a grade of 
CVD risk is calculated using tables [7,8], that we have also translated into 
IF. ..THEN... rules. The computational processes are simple too (because the 
cases are again disjoint). The same will happen with the second subsystem. 

2.3 Second Subsystem: Hypertension Detection, Evaluation 
and Treatment 

Now the items in (**) and (***) are assessed: (1) has already been asked in (f); 
(2) has just been evaluated from the data in (*) by the first subsystem; (3) is 
deduced from (|) and the information about the rest of the items can be found 
in the patient’s clinical history. 

The patient’s SBP and DBP are used to allocate him in a category of BP 
(Normal - Prehypertension - Stage 1 Hypertension - Stage 2 Hypertension) . This 
classification is the one suggested in [10, 11]. 

From this information, and following a certain treatment algorithm, the au- 
thors of [10, 11] recommend: 

— individuals who are prehypertensive: practice lifestyle modifications in order 
to reduce the risk of developing hypertension (no drug therapy) 

— individuals with hypertension (stages 1 and 2) be treated with an appropriate 
drug therapy if a first trial of lifestyle modification fails: 

• individuals with hypertension of stage 1 (not suffering other pathologies) 
that need drug therapy be treated with thiazide diuretic (THIAZ) or a 
combination including this therapy 

• individuals with hypertension of stage 2 (not suffering other pathologies) 
that need drug therapy be treated with a 2-drug combination 

• individuals with hypertension of any stage (also suffering from other 
pathologies) that need drug therapy should have it adjusted according 
to those pathologies. 
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According to [10,11], the goal is to return both SBP and DBP into the 
Normal or Prehypertensive regions. In case of patients with diabetes or chronic 
kidney disease, the goal is stricter: SBP<130 mmHg and DBP<80 mmHg. 

2.4 Algorithm 

The whole process is summarized in the algorithm of Figure 1. The different 
steps of the process will be analyzed in detail in the next sections. 




Fig. 1. Algorithm 

We plan to inform JNC of the inaccuracies detected in their tables, as well as 
the existence of this expert system (it is going to be extensively clinically tested 
prior to spreading). 

3 BP Classification 

JNC 7 [10,11] proposes the classification of BP for adults aged 18 and more 
included in Table 1. It will be the one used by our second subsystem. A refined 
one (Table 2), inspired by that of JNC6 [9] and [8], where Stage 2 is divided into 
stages 2a and 2b, but suppressing the “optimal” category, is used in the first 
subsystem. 
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Table 1. Classification of BP 



Category 


SBP mmHg 




DBP mmHg 


Normal 


<120 


and 


<80 


Prehypertension 


120-139 


or 


80-89 


Hypertension, Stage 1 


140-159 


or 


90-99 


Hypertension, Stage 2 


>160 


or 


>100 



Table 2. Refined classification of BP 



Category 


SBP mmHg 




DBP mmHg 


Normal 


<120 


and 


<80 


Prehypertension 


120-139 


or 


80-89 


Hypertension, Stage 1 


140-159 


or 


90-99 


Hypertension, Stage 2a 


160-179 


or 


100-109 


Hypertension, Stage 2b 


>180 


or 


>110 



Table 3. Table 1, once corrected 



Category 


SBP mmHg 




DBP mmHg 


Normal 


<120 


and 


<80 




120-139 


and 


<90 


P rehyp ertension 


<140 


or 

and 


80-89 




140-159 


and 


<100 


Hypertension, Stage 1 


<160 


or 

and 


90-99 


Hypertension, Stage 2 


>160 


or 


>100 



It seems clear that the four regions that Table 1 pretends to define are those 
in Figure 2. 

But only the “Normal” and “Stage 2 Hypertension” regions are correctly 
defined. For instance, if the pseudo-classification of Table 1 was followed strictly, 
the diagnosis for a patient with SBP = ISOmmHg A DBF = lOOmmHg would 
be a double “Prehypertension” and “Stage 2 Hypertension” ! The reason is that 
the regions “Prehypertension” and “Stage 1 Hypertension” defined by those 
tables don’t have the shape shown in Figure 2. For instance, the Prehypertension 
region really defined by Table 1 is shown in Figure 3. Therefore, the regions are 
not disjoint, so Table 1 doesn’t provide a real classification. Admitting that the 
intention of those who wrote Table 1 was to describe the regions in Figure 3, a 
correct description would appear in Table 3. 

The same problem arises in Table 2. It is similarly corrected (Table 4). Curi- 
ously, these inaccuracies were found when implementing the corresponding IF... 
THEN... rules, so there has been a certain feedback from the implementation. 
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SBP mmHg 



Fig. 2. Regions presumably corresponding to Table 1 




100 150 200 



Fig. 3. Prehypertension region, as defined in Table 1 



Nevertheless, although a computer language needs correct specifications, these 
inaccuracies are overcome by practitioners (due to their implicit knowledge). 



4 CVD Risk Classification 

In [8], when hypertension is present, and partially following [7,9], Table 5 is 
proposed for classifying the CVD risk (CVDRF stands for CVD Risk Factors, 
apart from hypertension; and TOD, DM and ACA were introduced in Section 
2 . 1 ). 

Again, this is a pseudo-classification, as, for instance, “Stage 2a Hyperten- 
sion” A “0 CVDRF” A “ACA” would also lead to a double: “Medium CDV risk” 
and “Very High CDV risk” . 

In our opinion the three first rows should include that there are no ACA and 
the two first rows should also include that the patient doesn’t suffer from DM 
and there is no TOD. Again, these inaccuracies are overcome by practitioners 
(due to their implicit knowledge), but we have precised these details in our 
adapted table (Table 6). We shall represent by nCVDRF the number of CVDRF 
(hypertension is excluded). 

Moreover, as this is going to be a first step of a deduction process, two 
columns (corresponding to Normal BP and Prehypertension) have been added 
in the left hand side of the new Table 6, so that we can forward fire all cases. 
From the medical point of view, these two new columns have no interest, as Table 

5 was a classification of CVD Risk when hypertension was present. Specifically, 
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Table 4. Table 2, once corrected 



Category 


SBP mmHg 




DBP mmHg 


Normal 


<120 


and 


<80 




120-139 


and 


<90 


Prehypertension 


<140 


or 

and 


80-89 




140-159 


and 


<100 


Hypertension, Stage 1 


<160 


or 

and 


90-99 




160-179 


and 


<110 


Hypertension, Stage 2a 


<180 


or 

and 


100-109 


Hypertension, Stage 2b 


>180 


or 


>110 



Table 5. Classification of CVD risk when hypertension is present 



CVD Risk Factors 
and other CVD facts 


St. 1 Hyp. 


St. 2a Hyp. 


St. 2b Hyp. 


0 CVDRF 


Low 


Medium 


High 


1 or 2 CVDRF 


Medium 


Medium 


Very high 


> 3 CVDRF V TOD V DM 


High 


High 


Very high 


ACA 


Very high 


Very high 


Very high 



the last row of those first two columns has no sense, as without hypertension 
there can be no ACA associated to hypertension. 

5 Basic Notions on Rnle Based Expert Systems 

A Rule Based Expert System (RBES) contains rules, facts and integrity con- 
straints that translate the information provided by the experts. Let us describe 
these items using an elementary set of rules written in bivalued logic {a, j3, 7, 
5, s, T], 6, c represent propositional variables). In addition to these items, the 
RBES is provided an inference engine and, possibly, a user interface. 

Rule 1 . a A ->/3 ^ 7 
Rule 2. 7 ^ (5 V £ 

Rule 3. r] ^ 

Rule 4. i5 ^ 6 * 

Rule 5. C ^ 

Letters like a or letters preceded by -> , like -'/3, are called literals. 

Rules are implications between a literal or conjunction of literals {antecedent), 
and a literal or disjunction of literals {consequent) . 

A potential fact is any literal that appears in at least one antecedent but in 
no consequent of the rules. In our example, a, ->/3, 77 and C are potential facts. 
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Table 6. Classification of CVD risk (adapted) 



CVD Risk Factors 
and other CVD facts 


Normal 


Prehyp. 


St.l Hyp. 


St. 2a Hyp. 


St. 2b Hyp. 


nCVDRF=0 A ^TOD 
A ^DM A -lACA 


Low 


Low 


Low 


Medium 


High 


1< nCVDRF < 2 A 
^TOD A -iDM A -.ACA 


Low 


Low 


Medium 


Medium 


Very high 


(nCVDRF > 3 V TOD 
V DM) A -nACA 


Low 


Low 


High 


High 


Very high 


ACA 


Low 


Low 


Very high 


Very high 


Very high 



A fact is any potential fact that the user states to hold. For instance, the user 
may state that the potential fact C is given as a fact. 

An Integrity Constraint (IC) is any well formed combination of literals and 
connectives that an expert has asserted to never hold. For instance, suppose 
that an expert assesses that 7 and ^9 never hold together. We then have new 
information to be added to the RBES: the negation of the integrity constraint 
(NIC): ^(yA^^). 

It is said that a rule can be forward fired if all the literals in the antecedent 
are facts (or derived facts, see below) . Forward firing corresponds to the formal 
logic rule of “modus ponens” . The inference engine of the RBES fires the rules. 

In some cases, the consequent of a rule may be part of the antecedent of 
another rule, like 7 in Rules 1 and 2. If a, ->/3 and ij are facts, then forward 
firing Rule 1 outputs 7 , being 7 an example of what is called a derived fact. 
Now, forward firing Rule 2 and Rule 3 output (5 V e and ->£, so 5 and ->£ are also 
derived facts (because 5 is a tautological consequence of (5 V £ and 

There are two main types of logical inconsistencies. 

If we are given the RBES composed of rules 4 and 5 and facts 6 and f, 
forward firing outputs the logical contradiction 9 A ~^9. 

Suppose that we are given the facts a, -<(] and in a RBES composed only 
by Rules 1 and 5, to which the NIC ^(7 A ^9) is added. In this case, forward 
firing leads to the IC 7 A ~^9, so the logical contradiction IC A NIC is obtained. 

In the RBES composed of rules Rl, R2, R3, R4 and R5, if a, -i/3, rj and C 
are given as facts, both types of contradictions are reached. 

Observe that if a logical contradiction is inferred (by forward firing) from 
the rules and ICs in a RBES and a consistent set of facts (that is, a set of facts 
that doesn’t include together a literal and its negation), we say that the RBES 
is inconsistent. In such case all formulae written in the language of the RBES 
do follow from the rules and ICs in the RBES and that consistent set of facts. 

6 Detailing the Expert System 

A RBES can use a Boolean logic, a multi-valued modal logic, a fuzzy logic... 
Boolean logic should not be used when a level of certainty is to be assigned 
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to the data (what is usually the case when dealing with medical information). 
This is not the case here, as the input data have a True/False format and data 
acquisition is precise (all input data can be clearly determined from the his- 
tory, physical examination, laboratory tests, electrocardiograms...). Moreover, 
proceeding with only part of the input data could be very dangerous (e.g. the 
suggested medication could be incompatible). 

As said in the introduction, this work is mainly based on the conclusions of 
the committees of the ISH-WHO [7], JNC 6 [9] and JNC 7 [10, 11]. These commit- 
tees release conclusions based on large-scale clinical trials and sound statistical 
studies, and are considered as the main reference in the field. This widely ac- 
cepted knowledge is what our program automatices. Our inference engine doesn’t 
add any new rule, it just incorporates the conclusions of these committees, so 
we don’t have to deal with confidence thresholds of new added knowledge. 



6.1 Translation of the Corrected BP Classification Tables 
to a Set of Production Rules 

Now that the semialgebraic regions defined by Table 3 are disjoint, the informa- 
tion contained in it 3 can be translated as the following set of rules: 

IF SBP<120 AND DBF <80 THEN Normal 
IF I20<SBP<I40 AND DBP<90 THEN Prehypertension 
IF SBP<I40 AND 80<DBP<90 THEN Prehypertension 
IF I40<SBP<I60 AND DBP<I00 THEN Stage I Hypertension 
IF SBP<I60 AND 90<DBP<I00 THEN Stage I Hypertension 
IF SBP>I60 THEN Stage 2 Hypertension 
IF DBP>I00 THEN Stage 2 Hypertension 

The information in Table 4 can be translated similarly. 

In previous occasions we have implemented expert systems devoted to other 
illnesses where the rules really had to be fired once and again and again, as 
new derived facts were obtained each time. Then we used a Grobner bases-based 
inference engine [5, 6, 12, 13] based on a application to RBES of these authors 
[14], itself based on previous works for Boolean logic [15, 16] and modal multi- 
valued logics [17]. Such an approach would be infraused here, as rules have to 
be fired only one time. Therefore we have decided to implement simple proce- 
dures in Maple using IF... THEN... ELSE... nested conditionals, like the following 
procedure, that determines the particular BP case. 

> class_BP:=proc() 

> global BP; 

> if SBP>=160 or DBP>=100 

> then BP : =Hypertension2 

> elif SBP>=140 or DBP>=90 
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> then BP : =Hypertensionl 

> elif SBP>=120 or DBP>=80 

> then BP : =Prehypertension 

> else BP:=Normal 

> fi; 

> NULL ; 

> end: 

Observe that, comparing with the tables, the nesting has been done from 
bottom to top, so that shorter conditions (almost identical to those in the original 
table) could be used. 

6.2 Translation of the Adapted CVD Classification Table 
to a Set of Production Rules 

The information in Table 6 can also be translated as a set of rules. We list after- 
wards some condensed ones (we have include OR connectives in the antecedents 
in order to shorten the number of rules, although this doesn’t agree the definition 
in Section 5): 

IF BP=Normal OR BP=Prehypertension THEN Low 
IF ACA AND (BP = St. I Hyp. OR BP = St. 2a Hyp. OR BP = St.2b Hyp.) 
THEN Very High 

IF -nACA AND (nCVDRF > 0 OR TOD OR DM) THEN Very High. 

IF ^ACA AND nCVDRF = 0 AND ^TOD AND ^DM THEN High. 



For the sake of brevity, the corresponding Maple code is not included (it has 
also been implemented using nested conditionals). 

6.3 Translating the Kind of Treatment 

As mentioned in section 2.3, the kind of treatment is based in the BP of the 
patient, but a distinction in the borders between regions is made if the patient 
suffers from diabetes or chronic kidney disease by the authors of [10,11]. The 
different recommendations were detailed in Section 2.3. The computational ap- 
proach is similar to those described in sections 6.1 and 6.2. 

6.4 Specific Therapy Options 

For instance, in [10,11] the kind of treatment is based on the possible occur- 
rence of other pathologies suffered by the patient. Of the different initial ther- 
apy options: THIAZ (thiazide diuretic), ACEI (angiotensin converting enzime 
inhibitor), ARB (angiotensin receptor blocker), BB (beta blocker) CCB (calcium 
channel blocker), ALDO ANT (aldosterone antagonist), only some are adequate 
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Table 7. Specific therapy options 



Pathology 


Therapy options 


Heart Failure 


THIAZ,BB,ACEI,ARB,ALDO ANT 


Post miocardial Infarction 


BB,ACEI,ALDO ANT 


CVDR=High or CVDR^Very High 


THIAZ,BB,ACEI,CCB 


Diabetes 


THIAZ,BB,ACEI,ARB,CCB 


Chronic kidney disease 


ACEI,ARB 


Recurrent stroke prevention 


THIAZ,ACEI 



for each of the pathologies that the patient could suffer that interact with the 
hypertension’s drug therapy. We have followed the recommendations of [10, 11], 
summarized in Table 7. 

What the corresponding procedure we have implemented does is to consider 
sets of drug therapies for each pathology, and to intersect them (using Maple's 
intersect command), according to the individual’s sufferings. 

7 Verification 

Logic verification of the first subsystem (CDV risk evaluation) is not necessary, 
as disjoint cases are described. Almost the same can be said about the second 
subsystem (detection, evaluation and treatment of hypertension), where it is 
enough to check some details, e.g. the compatibility of medications when different 
pathologies appear simultaneously. 

We have checked the conjunction of all pathologies, together with the different 
BP categories, and there were no anomalies found. For instance, if an individual 
with hypertension of stage 1 would answer “yes” to all questions, then we would 
have (input lines are preceded by “>”, meanwhile output lines are centered): 

> treat_HBP(); 

Lifestyle modifications suggested. 

Therapy Options: 

{ACEI} 



8 User Interface 

A friendly interface, similar to the one implemented for the CoCoA-based Anore- 
xia detection expert system [12], that simplifies data introduction and hides the 
computations carried out, has been implemented using Maple's Maplets (Figure 
4). In order to spread this work, we plan to translate the code into a compilable 
computer language and produce a stand-alone application. 

9 Conclusions 

We should stress on that interaction with the experts is necessary in order to 
search for the best representation of knowledge from the medical viewpoint. 
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& HYPERTENSION EXPERT SYSTEM 




□ID® 


(Note 1 : For Boolean Factors, 0=No, l=Yes. Note 2: It is possi4e to change the data and recalculate): I 


SBP in mmHg: 


|l25 




DBPinfnmHg: 


|iio 




[Hypettension2 


BP ClassiFicdtion 


J 


Obesity: 


|o~ 




Oydpdenu: 


r 




Diabetes meltus: 


[T 




Cigarette smotong: 






Physical nscbwty; 


\r 




Microalbuminuria (estmated Ntrabon rate <60nl/mn): 


[ 




Age (>^ For men, >65 For vwmen): 




r 


Family hislory of premature CVD (men age <S5, women age <65); 




ir 


Target Organ Damage: 






Associated CInical Alter aborts: 






[High CVDR ClassiFication 1 


Heart FaAre: 






Post myocardai iriFarction: 






Recurrent stroke prevention: 


\r 




|"Lifestyle modification suggested" 


General suggestions | 


|(BB, CCB, THIAZ, ACEI) 


Therapy options I 






1 Suggestion ll 1 


aosE 1 1 



Fig. 4. User interface 



What was unexpected was the feedback from the computer scientists that minor 
errata appeared in the tables provided by the doctors. 

Using a Computer Algebra System has made possible to shorten the devel- 
opment period, thanks to its wide range of possibilities. 
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Finally, we think this can be a very useful piece of software for practitioners, 
because, to reach, for instance, the treatment of hypertension, several messy con- 
catenated steps have to be taken. Practitioners can use the results in this work 
to improve their clinical practice (although the patient should be forwarded to 
a hypertension specialist). Moreover, specialists in the particular field of hyper- 
tension can use the results generated by this expert system to compare them 
with their personal opinion. 
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Abstract. In this paper, we are interested in geographic information 
revision in the framework of a flooding problem. We show how to express 
and how to revise this problem by using simple linear constraints. We 
present two revision strategies based on linear constraints resolution: 
the partial revision and the global revision methods. We apply these 
approaches on both a real-world flooding problem and random flooding 
instances. 

Keywords: Revision, Linear constraints, Geographic information. 



1 Introduction 

Many research works have been done in the field of knowledge revision (see [1, 
5] for overviews) . Revision is the restoration of the knowledge base consistency 
by considering more reliable information. It identifies the inconsistencies, then 
corrects them by keeping a maximum of the initial information unchanged. 

In this paper, we are interested in geographic knowledge revision based on 
linear constraints resolution in the framework of a flooding problem. We show 
how the flooding problem is expressed by linear constraints and propose two 
revision methods: the partial revision and the global revision methods. 

The rest of this paper is organized as follows. We describe in section 2 the 
flooding problem and show how it can be represented by linear constraints. In 
section 3, the revision steps. We propose in section 4 two revision methods. We 
experiment, in section 5, both revision methods on a real flooding application 
and on random flooding instances. Section 6 concludes the work. 

This paper is a condensed version of [4] . 

2 Description and Representation 
of the Flooding Problem 

During a flooding in the Herault valley (in the south of France) , a part of this 
area was studied in order to get correct estimates of the water heights (above the 
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sea level) in the flooded parcels. Two kinds of information are available: (i) The 
estimates of the water height in each parcel, (ii) The observations on hydraulic 
relations between some adjacent parcels. 

The flooding problem is represented by the linear constraint network N = 
{X, C) where X is a set of continuous variables, Xi corresponding to the water 
height in parcel i. C is the set of constraints representing both estimates on 
water heights and the hydraulic relations. The constraints are defined as follows: 
Estimates on water heights : Each parcel i is associated with the constraints 
h < Xi — Xq and Xi — Xq < m, {Xq represents the sea height, Xq = 0). The 
scalar h and Ui are respectively the lower and the upper bounds of the interval 
delimiting the water height in the parcel i. 

Hydraulic relations : An observed flow from the parcel i to the parcel j is ex- 
pressed by the constraint Xj - Xi < 0. A hydraulic balance between parcels i 
and j is represented by the constraints: Xj — Xi < 0 and Xi — Xj < 0. 

We associate to the linear constraint network N = {X, C) a directed edge- 
weighted graph, Gd = {X, Ed), called the distance graph. X is the set of vertices 
corresponding to the variables of the network N , and Ed is the set of arcs repre- 
senting the set of constraints C. Each constraint Xj—Xi < Oij of C is represented 
by the arc i ^ j, which is weighted by aij. In the sequel, n is the number of the 
vertices of the distance graph Gd and e is the number of its arcs. 

Each of the two considered sources of information is consistent separately, 
but conflicts appear when both sources are merged. A conflict is detected when a 
flow is observed from the parcel i to the parcel j while the estimated water height 
in i is strictly less than the estimated water height in j. Since the observations 
on hydraulic relations are considered more reliable than the estimates on water 
heights, these estimates are revised to restore the consistency. 

3 Revision 

The revision of a linear constraint network consists in the detection of all the con- 
flicts in the network, then the identification of a subset of constraints whose the 
correction restores the consistency, and Anally the correction of such constraints. 



3.1 Detection of Conflicts 

We present a method which detects the conflicts of a linear constraint network. 
This method is based on the following theorem. 

Theorem 1. A linear constraint network is consistent if and only if its corre- 
sponding distance graph does not contain elementary negative circuits. 

Theorem 1 states that the removal of all the elementary negative circuits in 
the distance graph, restores the consistency of its corresponding linear constraint 
network. To detect the (elementary) negative circuits in the distance graph of a 
flooding problem, we use the result of the following proposition. 
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Proposition 2. An elementary circuit in the distance graph of a flooding prob- 
lem is negative if and only if it includes a negative path {z,0, j}. 

To find all the conflicts, we have to enumerate all the pairs {i,j) of vertices 
involved in a negative path {i,0,j} and check existence of an elementary path 
from j to i which does not include the vertex 0. The complexity of the conflict 
detection procedure is 0(r?e) in the worst case. 

3.2 Representation of the Conflicts 

We recall that we are interested in revising estimates on water heights in the 
parcels. Each conflict between the constraints h < Xi — Xq and Xj — Xq < Uj is 
represented by the tuple {i,j, uj — k) . The set of conflicts is represented by the 
graph Gc = {V,E). V is the set of vertices V={LoWi,Uppi '■ I < i < n}, where 
Lowi (respectively Uppi) corresponds to the constraint k < Xi—Xo (respectively 
to the constraint Xi — Xq < m). Each conflict {i,j, uj — If) is represented by the 
edge {LoWi, Uppj). Gc is called the graph of conflicts. 

3.3 Computing a Subset of Constraints to Correct 

To remove all the detected conflicts, some constraints involved in them have to 
be revised. We have to look for a subset of constraints whose the revision is 
sufficient to restore the consistency. A minimal revision of the problem needs to 
find a minimal subset of constraints whose the correction restores the consistency. 
This amounts to find a minimal vertex cover of the conflict graph. 

Looking for a vertex cover of a fixed size is an NP-Complete problem [2] , and 
looking for minimal vertex covers is NP-Hard. 

To compute a minimal vertex cover of the graph of conflicts, we use the 
Minimal-Cover algorithm (see [4] for details) whose complexity is 0(ric2”‘=) in 
the worst case, where Uc is the number of vertices of the conflict graph. 

Another alternative is to consider a ’’good” vertex cover rather than a mini- 
mal one. Such cover is computed by the Good-Cover algorithm (see [4] for details) 
which consider only the vertices of highest degree in the graph of conflicts. The 
complexity of the Good-cover algorithm is 0{n^) in the worst case. 

3.4 Revision of the Conflicting Constraints 

We shall see now, how to perform the corrections. Let (f, j, Uj — If) be a conflict 
between the constraint U < Xi — Xq and the constraint Xj — Xq < uj. The 
elimination of this conflict needs the revision of one of these constraints. The 
following proposition states how this operation is done. 

Proposition 3. Let c = {i,j,Uj — If) he a conflict between the constraints Xj 
— Xq < Uj and U < Xi — Xq. Replacing the constraint Xj — Xq < Uj (respec- 
tively, the constraint h < Xi — Xq) by the constraint Xj — Xq < U (respectively, 
the constraint Uj < Xi — Xq ) corrects the conflict c. 
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The revision of a constraint cannot generate new conflicts and we have the 
following theorem. 

Theorem 4. If the constraints corresponding to a vertex cover of the conflict 
graph of a flooding problem are corrected, then the consistency of the problem is 
restored. 

4 Revision Methods 

We propose in the following, two revision mothods : the partial revision and the 
global revision which offer a good compromise between minimality and efficiency 
of revision. 

4.1 Partial Revision 

The partial revision method consists first in identifying the list L of all the 
conflicts (z, j, d) and in sorting it according to the ascending order of the distances 
d. In the second phase, it takes a bundle L' formed of the n first conflicts of the list 
L, then computes a minimal vertex cover Cm of the conflict graph corresponding 
to L' . The constraints of Cm are revised and all the corresponding conflicts are 
removed from L. The second phase is repeated until all the conflicts of L are 
removed. The complexity of the partial revision algorithm is 0(n^2^") in the 
worst case (see [4] for details). 

4.2 The Global Revision 

The global revision method detects all the conflicts, then computes a ’’good” 
subset of constraints whose the correction restores the consistency. This con- 
straint subset corresponds to a ’’good” vertex cover of the conflict graph which 
is computed by the Good- Cover procedure. The complexity of the global revision 
algorithm is 0{n^e) ([4]). 

5 Experimental Results 

The revision algorithms presented in this paper are implemented in C and run on 
a Pentium 4, 2.4 MHz with 512 MB of RAM. They are both tested on the real- 
world flooding problem in the Herault valley and on random flooding instances. 

The real flooding problem contains 180 parcels and 630 constraints. Both 
methods solve efficiently the problem (in less than 1 second) and their perfor- 
mances are comparable. We then experiment them on random instances of the 
flooding problem. 

Generation of random flooding problems is based on two parameters: the 
number of variables n, and the constraint density d which is defined by d = 
number of^onstramts ^ thightness t of the Constraints is represented by the 
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Table 1. Results on the global and partial revision of random flooding instances 



Revision 


Global revision 


Partial revision 


Density 


Density 


0.2 


0.5 


0.8 


0.2 


0.5 


0.8 


n=500 


ih conflicts 


61844 


62110 


62049 


61543 


62034 


61851 


^ corrections 


305 


306 


308 


314 


318 


317 


Time (s) 


3 


1 


1 


3 


2 


2 


n=1000 


# conflicts 


248277 


249962 


247737 


248640 


247275 


247718 


corrections 


619 


622 


619 


635 


633 


632 


Time (s) 


25 


14 


9 


33 


21 


16 


n=2000 


# conflicts 


994792 


993225 


996207 


998079 


998293 


993822 


ih corrections 


1247 


1244 


1247 


1264 


1257 


1269 


Time (s) 


202 


109 


75 


306 


228 


187 



interval [100,300] where the upper and lower bounds of the water height estimates 
are generated. A sample of 50 problems is generated for each tuple (n, d, t) and 
the mesures are taken in average. 

We can see in table 1 that the density does not affect significantly the number 
of detected conflicts. However, when the density grows, the revision becomes 
faster for both methods. This is due to the fact that when the density grows, 
the conflicts share more constraints, and their elimination is faster. We can see 
also that the number of corrected constraints in the global revision is always less 
than the one in the partial revision. The global revision is also faster than the 
partial revision. This is due to the minimal cover computing complexity. 

6 Discussion 

In a recent work [3], we have proposed different revision methods in the frame- 
work of the flooding problem. The first one is the all conflicts method which 
performs a minimal revision, but is applicable only to small instances of random 
flooding problems. The global revision method proposed in this paper is more 
efficient although it is not minimal. The partial revision outperforms the hybrid 
revision method proposed in [3]. The heuristic which selects first the conflicts 
having the smallest distances in each iteration, improves significantly the per- 
formances of the method. In future, we will try to extend this work to revise any 
problem expressed as a linear constraint network. 
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Abstract. We describe a refutation-based theorem proving algorithm 
capable of checking the satisfiability of non-ground formulae modulo (a 
combination of) theories. The key idea is the use of abstraction to drive 
the application of (i) ground satisfiability checking modulo theories ax- 
iomatized by equational clauses, (ii) Presburger arithmetic, and (iii) 
quantifier instantiation. A prototype implementation is used to discharge 
the proof obligations necessary to show the correctness of some typical 
programs manipulating arrays. On these benchmarks, the prototype au- 
tomatically discharge more proof obligations than Simplify - the prover 
of reference for program checking - thereby confirming the viability of 
our approach. 



1 Context and Motivation 

Satisfiability procedures for equality and theories of standard data-types, such as 
arrays, lists, and arithmetic are at the core of most state-of-the-art verification 
tools (e.g., DPLL(r) [6] and Simplify [3]). These are required for a wide range 
of verification tasks and are fundamental for efficiency. Satisfiability problems 
have the form T A <f>, where is a Boolean combination of ground literals, T 
is a background theory, and the goal is to prove that T A </> is unsatisfiable. A 
satisfiability procedure for a theory T is an algorithm capable of checking whether 
T A 4> IS satisfiable or not, for any ground formula </>. 

The task of designing, proving correct, and implementing satisfiability pro- 
cedures for decidable theories of practical interest is quite difficult. First, most 
problems involve more than one theory, so that one needs to combine satisfi- 
ability procedures (see e.g. [7]). Second, every satisfiability procedure needs to 
be proved correct: a key step is to show that whenever the algorithm reports 
“satisfiable,” its final state represents a model of T A </>. Unfortunately, model- 
construction arguments can be quite complex (see e.g., [10]). 

Although designing and combining decision procedures are necessary and 
very important activities to build practically useful reasoning tools, they are 
not sufficient. In fact, many proof obligations encountered in routine verification 
problems require a degree of flexibility which is not provided by actual state-of- 
the-art tools. The main problem is that only a tiny portion of such proof obliga- 
tions falls exactly into the domain the procedures are designed to solve. As an 
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example, consider a satisfiability procedure for the union of (the quantifier-free 
fragment of) the theory £ of equality, the quantifier-free fragment of Presburger 
arithmetic VA, and the formula 

a < b A max(a, b) = a A WX, Y.(X <Y ^ max(X, Y) = Y). (1) 

The available procedure will fail to detect the unsatisfiability of (1) since it 
does not know how to instantiate the quantified variables. Here, we propose a 
mechanism to augment decision procedures to cope with quantifiers. 

2 Abstraction-Driven Refutation Theorem Proving 

For lack of space, we assume the basic notions of first-order logic [4], the super- 
position calculus [8], and the Nelson-Oppen combination schema [7]. 

Handling Ground Formulae. Recently, there has been a lot of interest around 
theorem proving algorithms to discharge the proof obligations arising in various 
verification problems, which are large ground formulae with a complex Boolean 
structure to be checked satisfiable modulo a background theory T. An integration 
of propositional solving (SAT, for short) and satisfiability checking modulo T 
has been advocated to efficiently discharge these formulae. The abstract- check- 
refine algorithm underlying such integrations is depicted in Figure 1, where 
gfol2prop{(j)g) returns the propositional abstraction of the ground formula fg 
(e.g. the abstraction of (a = & A 6 = c) /(a) = /(c) is {p A q) ^ r, p is the 

abstraction of a = b, q of b = c, and r of /(a) = /(c)), prop2gfol is its inverse, 
and check -assign is such that check -assign{T , (d) = unsat iff (3 is unsatisfiable 
modulo T; otherwise, check -assignfT , f3) = sat. Many refinements are necessary 
to make this schema efficient (see e.g. [6] for details). 

Handling Non-ground Formulae. Although the algorithm of Figure 1 has proved 
to be very effective for hardware verification problems (see again [6] for ex- 
perimental evidence of this), its applicability in program verification is limited 



function check_ground (fg-. ground formula) 

1 fP < — gfol2prop{(j)g) 

2 while (j)P 7 ^ false do 

3 begin 

4 f)P « — pick a propositional assignment of 

5 p< — check -assign fT,prop2gfol{l3P)) 

6 if p = sat then return sat 

7 fP < — <j>P A ^gfol2prop{l3P) 

8 end 

9 return unsat 
end 



Fig. 1. A refutation-based algorithm for ground formulae 
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function check_fol first-order formula) 

1 4>'q « — innermost -univ {top -ex {(fo)) 

2 {(j>g,A) < — ahs-univ{(j)'(fi) 

3 return check_ground'((^g) 
end 

function check_comb {EqCls : set of elauses, VA'. first-order theory, 
fi: conjunction of ground literals) 

1 (01,132) < — purify{0) 

2 repeat 

3 a « — pick an arrangement for /3i and 02 

4 (pe,^e) < — check-assign{EqCls, 01 U a) 

5 pa < — check-assign{VA, /?2 U a U ^e) 

6 if (pe = sat) A (pa = sat) then return sat 

7 until all possible a’s have been considered 

8 return unsat 
end 

Fig. 2. A refutation-based algorithm for non-ground formulae 



since the proof obligations arising in such a context frequently contain quanti- 
fied variables, whose instantiation requires some ingenuity. In order to overcome 
this difficulty, we propose the algorithm checkJol in Figure 2, which augments 
check_ground with the capability of handling quantifiers. Let fio be a non-ground 
formula to be checked for unsatisfiability modulo ST U VA, where ST is a finite 
set of equational clauses. First, we move the existential quantifiers not in the 
scope of a universal quantification to the top-most position in the formula, by 
using obvious rules such as 3x.P{x)V3x.Q{x) rewrites to 3x,y.{P{x)VQ{y)) (cf. 
top-CX, line 1). Afterwards, we minimize the scope of the remaining quantifiers 
by using the rules for antiprenexing of [9] (cf. innermost-univ, line 1). For exam- 
ple, the formula Va;.3y.(P(a;) A Q(y)) is transformed to (fix.P{x)) 7\Q{cy), where 
Cy is a Skolem constant. Afterwards, we transform the formula 4>'q into a ground 
formula fig by replacing the quantified sub-formulae of fi>Q with fresh proposi- 
tional letters and recording the association between propositional letters and the 
quantified sub-formulae in a mapping S (cf. abs-univ, line 2) s.t. A{fig) = fi[j, 
where A denotes the homomorphic extension of 6 to fig over the Boolean con- 
nectives. Then, we invoke the function check_ground^, which is a modified version 
of check_ground where the call to check-assign (at line 5 in Figure 1) is replaced 
by the following invocation of check_comb (cf. Figure 2): 

5' p < — check_comb(£T U S{0p),VA, prop2gfol{0P)), 

where the function 6 is s.t. S{0) = {(5(A) | A G /3 and is in the domain of 5}, 
for any set 0 of ground literals. We assume that check -assign for £T is imple- 
mented by using a superposition prover as described in [1] and it is also capable 
of returning the ground facts which are derived by the prover (cf. at line 
4 of check_comb. Figure 2). The main difference between check_comb and the 
Nelson-Oppen combination schema is that the two component procedures com- 
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municate also ground facts on the signature of VA and not only the equalities 
over shared constants (cf. line 5 of check_comb). The function purify is such that 
purify{(3) = (/3i,/?2), /? is satisfiable iff Pi AP 2 is, Pi {P 2 , resp.) is a conjunction 
of literals not containing terms of VA {SV , resp.), and a is an arrangement for 
Pi and P 2 (see [11] for a definition). 

Notice that the superposition prover plays two roles. First, it implements the 
satisfiability procedure for £T. Second, it finds ground instances of the quantified 
sub-formulae in which are then sent to the decision procedure for VA. Notice 
that if the calls to the superposition prover returns, then check_comb terminates 
since there are only finitely many arrangements a’s (see again [1 1] for details) and 
only finitely many clauses are generated by superposition (given its termination) . 
So, checkJol is terminating whenever the call to check_comb returns. Finally, the 
algorithm is obviously sound but it is incomplete for an arbitrary £T. 

Table 1. Experimental Results on Array Programs 





Simplify haRVey 


Find (20) 


14 20 


Selection (14) 


12 14 


Heap (22) 


13 17 



3 Experiments: Verification of Array Programs 

We have built a prototype version of checkJol on top of haRVey^ [2] by adding an 
implementation of check_comb and a procedure for the quantifier-free fragment 
of VA based on the Fourier-Motzkin method (see e.g. [12]). We have used the 
Why^ tool to generate the proof obligations encoding the (total) correctness of 
the following programs: Hoare’s Find, Selection sort, and Heap sort [5]. Why is 
capable of generating proof obligations in the formats of several tools, among 
which haRVey and the state-of-the-art theorem prover for program verification. 
Simplify [3]. In Table 1, the first column reports the identifier of the algorithm 
and the total number of proof obligations encoding its correctness; the second 
(third) column gives the number of proof obligations proved by Simplify (our 
algorithm, resp.). For Find and Selection sort. Simplify fails to prove about 
25% of the proof obligations whereas our system proves them all. For Heap sort. 
Simplify proves 13 over 22 formulae whereas our system proves 17. If we add three 
lemmas about an inductive predicate recognizing heaps (see [5] for details), then 
Simplify proves 16 formulae whereas our system goes to 22. For Find, 19 of the 
20 proof obligations are ground after the invocation of top-ex at line 1 in Figure 
2. On the sole non-ground proof obligation, we have terminated Simplify after 
half an hour of work; our system, instead, terminates with the correct answer in 
about 10 seconds. For Selection sort and Heap sort, no proof obligation becomes 

^ http : //www. loria.fr/~ranise/haRVey 
^ http://why.lri.fr 
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ground after the invocation of top-ex. Both our system and Simplify are quite 
successful in finding suitable instances to the quantified variables but our system 
automatically discharges more proof obligations than Simplify. 

We believe that the main reason for the success (measured in number of 
proof obligations automatically discharged) of our algorithm over Simplify is that 
we use superposition as the instantiation mechanism rather than the heuristic 
matching algorithm described in [3]. In fact, superposition performs inferences 
also on the quantified formulae: this may generate ground instances of facts 
which are otherwise impossible to derive by requiring that at most one formula 
participating to an inference is non-ground as it is the case for Simplify. 
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Abstract. Qualitative Reasoning is characterised by making knowledge 
explicit in order to arrive at efficient reasoning techniques. It contrasts 
with often intractable quantitative models. Whereas quantitative mod- 
els require computations on continuous spaces, qualitative models work 
on discrete spaces. A problem arises in discrete spaces concerning transi- 
tions between neighbouring qualitative concepts. A given arrangement of 
objects may comprise relations which correspond to such transitions, e.g. 
an object may be neither left of nor right of another object but precisely 
aligned with it. Such singularities are sometimes undesirable and influ- 
ence underlying reasoning mechanisms. We shall show how to deal with 
singular relations in a way that is more closely related to commonsense 
reasoning than treating singularities as basic qualitative concepts. 



1 Introduction 

In this essay we shall discuss problems arising by describing arrangements of ob- 
jects qualitatively. We are concerned with the relations depicted in Fig. 1, which 
have been introduced in [3]. We refer to the set of these relations as BA. The 
relations in BA describe arrangements of intervals in the two-dimensional plane 
qualitatively; they can be considered as the two-dimensional analogue of Allen’s 
one-dimensional interval relations [1] . BA is distinguished from other qualitative 
representations (cf. [2]) in that it comprises only disconnection relations. Rela- 
tions between disconnected objects are of interest in a number of areas, mainly 
when spatiotemporal interactions between objects are to be described. It could 
be argued that connection relations are equally important. But there are no 
connections, for example, between road-users in traffic, pedestrians walking in a 
market square, sportsmen playing on a pitch, or generally between objects form- 
ing patterns of spatiotemporal interactions. Sometimes the distances between 
objects become very small, but they still remain detached from one another and 
can generally change their orientation and position independently of other ob- 
jects. We are simply interested in possible relations between objects that are not 
connected. 

It is less a question of motivating the necessity of different disconnection 
relations, than of restricting the relations to those in general positions. In BA 
the endpoints of all intervals are in general positions. The examples on the right 
of Fig. 1 show relations in singular positions. These correspond to special cases 



B. Buchberger and J.A. Campbell (Eds.): AISC 2004, LNAI 3249, pp. 276—280, 2004. 
@ Springer- Verlag Berlin Heidelberg 2004 




Singularities in Qualitative Reasoning 277 




Fig. 1. Left: Interval relations embedded in two dimensions; the vertical reference in- 
terval is displayed bold. Middle: A mnemonic description; Right: Singular relations 



in which intervals are precisely aligned with each other. But in BA there are 
no such singular relations explicitly defined. For instance, there is no relation 
between Fi and FOi which would correspond to an interval in which one end- 
point is located exactly level with an endpoint of the other interval (see Fig. 
l.(a)). The question arises as to how we deal with such singular arrangements, 
in which one endpoint lies precisely at a location which marks the transition 
between qualitative concepts, as between F] and FOi. This is important, since 
no possible arrangement of intervals should remain undefined. This is the issue 
we are interested in. 

2 Singular Relations 

First of all we show why singular relations exist at all. A qualitative repre- 
sentation is the result of an abstraction process, which can be regarded as the 
partitioning of a continuous space into a number of equivalence classes. As a side- 
effect of this, singularities emerge as transitions between neighbouring classes. 
For example, the continuous space of interval arrangements in can be con- 
ceived as consisting of all metrically distinct interval arrangements. A special 
abstraction of this continuous space distinguishes the relations of BA, in which 
each equivalence class is a binary relation between two intervals. In the neigh- 
bourhood graph in Fig. 1, the transition between two neighbouring classes marks 
a singularity, for instance, between Fi and FOi. We refer to the interval relations 
which fall into these transitions as singular relations. Fig. l.(a) serves as an ex- 
ample. An arbitrary small change in the position of one interval which forms a 
singular relation with another interval transforms it in most cases into a general 
relation. Such a small change applied to a general relation would not normally 
change this relation. 

We would like to argue that singular relations should not have the status of 
basic relations in a qualitative representation. By contrast to BA, which com- 
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prises only 23 relations, there exist 226 relations when we additionally consider 
singular relations [3] - a significant difference since all these relations need to be 
distinguished when analysing and interpreting situations. More importantly, sin- 
gular relations are somewhat misplaced in the context of qualitative reasoning. 
We are not at all interested in whether objects are precisely aligned. We focus 
on coarse relations between objects, which are simple to obtain and which allow 
efficient commonsense reasoning. For instance, we want to know whether one 
object is to the left of another one, whether it is moving in the same direction, 
and the like. What distinguishes qualitative relations from metrical relations is 
that they can be recognised easily by perception. However, this does not apply 
to singular relations, which require precise measurements. We conclude that sin- 
gular relations are not compatible with commonsense reasoning, although there 
are exceptions in those fields where singular relations are as easy to obtain as 
general relations. For example, in the case of events we often know whether one 
event follows another one directly: after the performance a reception is held in 
the foyer; there is no time to go shopping between the performance and the 
reception - these events meet in time. 

2.1 Representing Singular Relations 

Having said that singular relations are incompatible with the idea of common- 
sense reasoning - more so in two dimensions than in one - we must show how 
to deal appropriately with singular relations. We cannot simply exclude them, 
since we need to represent every conceivable arrangement of intervals. One way 
of dealing with them consists in assigning singular relations to similar general 
relations. The singular relation in the first example could be assigned to Fj, 
since there is only one point that is not actually in relation F); this may be an 
appropriate solution in applications in which coarse reasoning is performed. But 
when such a precise distinction matters we are outside the scope of qualitative 
reasoning. 

The second example. Fig. l.(b), is more difficult to handle. If we regard this 
arrangement as Di then we are heading for a problem. What about the con- 
verse relation? If it is regarded as Dr, then it holds for both intervals that each 
is contained in the other one - a quite awkward situation. For this reason we 
have to proceed as we do whenever we encounter indeterminate information in 
any qualitative representation: by sets of possible relations. In Fig. I.(b) we 
would represent the singular relation by {Di,Ci, FOi, BOi} and its converse by 
{Dr,Cr, FOr, BOr}. In this way, we can deal with parallel intervals which are 
equal in length. The representation does not seem to be very precise, but preci- 
sion is exactly what we want to avoid in a qualitative representation. When can 
we be sure whether parallel lines really are equal in length? Only when we have 
precise measuring tools. Isn’t there always a little uncertainty left when working 
without such tools? At most we know that two lines in a given arrangement are 
likely to be equal in length, but at the same time we also know that they may 
be something else - something similar. Similar relations form a neighbourhood 
in the ;8A-graph, and such neighbourhoods circumscribe the singular relations. 
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Accordingly {Di,Ci, FOi, BOi} would seem to be quite an appropriate descrip- 
tion of what we really know about two parallel lines which are probably equal in 
length. 

Fig. 2 shows how singular relations are represented by sets of general rela- 
tions. Only a quarter of all relations are depicted, since the other relations are 
symmetrical to those in Fig. 2. As with the disconnection relations of BA, only 
disconnected singularities are considered. Apparently connected singularities are 
treated as apparently connected general relations, i.e. they are conceived as dis- 
connected relations in which distances become arbitrarily short. Our knowledge 
gets more uncertain near singular relations - this uncertainty is represented by 
sets comprising a number of possible relations rather than only one relation. 
In particular, if two endpoints are in singular positions then these sets consist 
of three or four general relations, depending on whether the endpoints lie on 
the same singularity, e.g. {Fi,Fm,Fr} in Fig. 2, or on different singularities, e.g. 
{Di, Cl, FOi, BOi}. By contrast, if there is only one endpoint in singular position 
the sets consist of only two general relations. We observe that all singularities 
are uniquely identified by this technique. 



2.2 Reasoning with Singular Relations 

How does this representation of singular relations affects reasoning processes? 
Let us consider the example in Fig. 3. We assume that we know the relations 
between x and y as well as those between y and z. For the position of y with 
respect to x we write Xy, and accordingly we write yz for the position of z 
with respect to y. Our goal is to infer the relationship between z and x, i.e. 
Xz- We do this by the composition operation which was defined in [3]: for each 
pair of general relations the transitivity relation is given. The left hand side of 
Fig. 3 shows Xy in singular relation; the composition result is indeterminate. In 
comparison, the right hand side of Fig. 3 shows Xy in general relation; here the 
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I ^"1 } 

Vz = Fi 

Xz = Xy O 

= {Fl, Fm} O Fl 
= Fi o Fi U Fm o Fl 
= {Fl, Fm, Fr} U {Fr} 
= [Fl, Fm, Fr} 




Xy Fm 

Vz = Fl 



Xz = XyO y,z 

= Fm° Fl 
^Fr 



Fig. 3. Transitivity with a singular relation (left), and without any singularity (right) 



composition result is less indeterminate. Note that we assume that Xz cannot be 
perceived directly, as is actually the case in this figure. 

3 Discussion 

Hitherto qualitative representations have treated singular relations as being on 
a par with general relations. This is useful in some areas, for example, in order 
to distinguish whether an event happens before another event, or whether it 
immediately follows (meets) another one [1]. We have argued that singular re- 
lations are not as important as general relations in some applications, and that 
they form a different sort of relation since they do not accord with common- 
sense reasoning. Characterising singularities on the basis of neighbourhoods, we 
have treated them as relations of second order rather than basic relations. As 
a consequence, the endpoints of basic relations always lie in general positions. 
Indeed BA forms a set of relations which covers all possible situations when 
circumscribing singular relations by neighbourhoods of general relations - BA 
leaves nothing undefined. This also holds for other qualitative representations. 

To summarise, we have identified singularities as artefacts in qualitative rep- 
resentations. They are problematic in some areas, in that they require precise 
measurements whereas precision is normally avoided in qualitative reasoning. 
We have outlined how to deal with singularities by means of sets of possible 
relations, i.e. by defining singularities as sets of general relations. 
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Abstract. We consider joining to our computer algebra library a cer- 
tain prover based on the TRW machine with an order-sorted algebraic 
specification language for input. A resource distribution approach helps 
to automate the proof tactics. Inductive reasoning is organized through 
adding of equalities. The unfailing Knuth-Bendix completion combined 
with special completion for the Boolean terms enables proofs in predicate 
logic. The question is how to develop further a language for equational 
reasoning/computing, the prover library and special provers to make pos- 
sible the solution of more substantial problems than the ones mentioned 
in the examples. 

Keywords: computer algebra, equational prover, term rewriting. 



For several years we have been developing a computer algebra (CA) library called 
DoCon (www.botik.ru/~mechvel/papers.html). It is written in the Haskell 
language and implements a good-sized piece of commutative algebra. Now, in 
order to extend the ability to operate with explicit knowledge about domains, we 
aim at the following two goals. ( 1 ) To develop and implement an adequate “ob- 
ject” language (OL) based on order-sorted equational specifications (OSTRW), 
a prover related to OL, and to incorporate the existing CA library and prover 
into one system. ( 2 ) To enrich the existing tactics, the prover library, etc., in 
order to make the system more effective in solving problems. 

The project also has relevance to the area of partial evaluation, since such a 
prover also allows automated reasoning about functional programs. 

Our program is called Dumatel (a joke Russian word from the novel “Skazka 
o troike” by brothers Strugatsky, it stands for “thinker”). 

As an introduction, some ideas related to the project can be found in [5], [3], 
[4], [6], [1], and the manual for the Maude system. Among the projects with a 
similar direction, we can mention Theorema (www.theorema.org). There is also 
the Maude system (maude . cs . uiuc . edu) remarkable for its treating of OSTRW, 
reflexion, AC (associative and commutative) operators. In this four-page paper 
we cannot describe the design principles in much detail. More information will 
be available in 

Reference: the initial open source Dumatel system version, together with some 
expanded documentation, is expected to appear during 2004. The relevant URL 
is www.botik.ru/~mechvel (/papers . html) . 



B. Buchberger and J.A. Campbell (Eds.): AISC 2004, LNAI 3249, pp. 281-284, 2004. 
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On Languages: Haskell is chosen as the implementation language (IL); the 
prover is written in IL, and it reasons about specifications expressed in OL. The 
prover strategies are formulated in the strategy language (SL), for which we have 
again found Haskell to be adequate. When OL develops a sufficient richness, it 
has the potential to become an SL. 

Why do not we choose a prover tool from a great number of existing ones? 
After one year of investigation we failed to find a tool satisfying our requirements 
(and personal taste): (1) being open source, (2) having sufficient OSTRW to be 
an OL, (3) providing a good high-level functional language for implementation, 
and suitable universality for a strategy language, (4) having a rich CA library 
and TRW library (Maude was candidate No. 1). And our taste also does matter: 
an encouraging six- year experience with Haskell, with its “laziness” , clarity and 
a balance between its being high-level and the efficiency of the Glasgow Haskell 
tool, with implementing in it a large CA library (to link to the prover) - all impel 
us to continue in this direction. As a more distant perspective, we intend the 
future OL to become a really adequate language for expressing strategic-level 
knowledge in programs. 



Illustrating the System with an Example. 

The following simple problem is taken from Example 3.7 in [2]. Let G be a group 
with operations e , * , i, and P a non-empty subset in G such that if X and 

Y belong to P then X*(i Y) belongs to P. Prove that it follows from these 

axioms that (1) e G P, (2) for all X (X G P ==> i X G P) 

To solve this problem, denote x G P as (P x) and specify a theory as a 

many-sorted specification in OL: 



groupTask = theoryUnion 
where 

groupWithP = 

Theory {sorts = 
operators = 

variables = 
equations = 

opPrecedence 

btLaws 

preced = [P, i, *, e. 



(bool Ipo) groupWithP 



[G], 

[e : -> G, i_: G -> G, — inversion 

G G -> G, P_: G -> Bool], — for subset 
[[X, Y, Z] : G] , 

[(X*Y)*Z = X*(Y*Z), — Group 

e * X = X, (i X)*X = e] , — laws 

= preced, greaterTerm = (Ipo preced) 

= [] , btOrdering = . . . } 

false] , — P > i > . . . 



This specification is expressed as an IL data. The TRW interpreter treats 
such specifications as direct term reduction programs. Other parts of the prover, 
like completion, treat it as a theory from which to derive the consequences. The 
term ordering (greaterTerm) has the operator precedence table as a parameter. 
theoryUnion is a function joining theories in a sensible way; here it joins the 
theory for Boolean algebra. This example is processed by the prover, with the 
result printed to a string, by the following IL program: 
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shows (ukbbGoalRem res) . ("\n\n"++) . 

showsUKBBHistory (ukbbHistory res) "" :: String 

where 

res = proveByUKBBRefutation Infinity skolemArgs groupTask formula 
formula = parse (" (exist [X] (P X) ) & 

(forall [X,Y] (P X & P Y ==> P (X*(i Y)))) 

==> P e & (forall [X] (P X ==> P (i X))) ") 

Here Infinity means the infinite resource given to the goal, and skolemArgs 
specify the way to add the operators appearing after skolemization. Our predi- 
cate calculus formula is presented as a term built with the operators "exist", 
. . . , "==>", "P", "i". The proof starts by reducing the formula term. The 

function proveByUKBBRefutation forms the negation, skolemizes it (extending 
the theory to groupTask’), converts it to a list of what we call btDisjuncts, 
each disjunct represented as a certain Boolean term (BT) [2]. A Theory also 
keeps a list of BT. The formulas join the btLaws part of the theory in the form 
of such a list. BT-s form an associative and commutative algebra, with the idem- 
potence law, with respect to the operations xor, &. For more efficiency, the prover 
applies to BT a special completion method (the function ukbb). Our example 
yields the four disjuncts in a BT form: 

btDisjuncts = [(P XSk) xor 1, (P (X*(i Y)))&(P Y)&(P X) xor (P Y)&(P X), 

(P XSkO)&(P e) xor (P e) , (Pi XSkO)&(P e) ] 

XSk, XSkO are the constants returned by skolemization. btDisjuncts join 
the theory, making it groupTaskS, and then there applies the completion: 
ukbb _ groupTaskS ([],[!]) - “complete the equations and BT of the given 

theory aiming at the BT goal [1]”. Deriving a BT which reduces 1 to 0 would 
mean a successful proof by refutation, ukbb combines the usual unfailing comple- 
tion [3], [6] with the superpositions of kind equation-|-BT, BT-I-BT [2], and with 
a special reduction on BT. It also accumulates a proof history. In our example, 
the result prints as 

ukbbGoalRem = ([],[]) — [true] -> [false] -> [] done 

History = 

[[2] (P XSk) xor 1 [4] (P XSkO)&(P e) xor (P e) 

[5] (P i XSkO)&(P e) [3] (P Y)&(P X)&(P (X*(i Y))) xor (P Y)&(P X) 

[1] e*X -> X 

[6] (P Y)&(P i Y)&(P e) xor (P Y)&(P e) from [1], [3] 

[7] P ((i (YO* i XSk))*Y0) from [..], [2] 

[8] 1 from [1] , [7] ] 

The labels of type [Integer] serve as the references on print-out. 

The ukbb method implements mainly the idea of RN+ strategy given in [2]. 
But Dumatel applies a stronger method for the BT reduction. This is based 
on the monomial ordering by the monomial scheme: power product made of 
the corresponding top predicate symbols. Its relation to graded algebras and 
Grobner bases is a new computer algebra subject in our design. 
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Sketching Some of the Remaining Features. 

The resource distribution approach means that most important functions 
in the prover are given a resource argument: a bound for the number of “steps”; 
they return the “current state” and the resource remainder. Resource exhaustion 
is one of the flags for such a function to stop. The resource is distributed between 
the goals according to the strategy heuristics. All this helps to automate the 
tactics of proof, breaking off any unsuccessful proof branch when it grows too 
long (recall that a generic “solving” task is algorithmically undecidable) . 

The inductive reasoning is organized through adding of equalities (see, 
for example, the materials on Inductive Prover (M.Clavel) at the Maude system 
site). 

The first approach strategy (FAS) for the formula proof by the given 
theory (the function prove) consists of transforming the list of goals, trying 
in a certain sequence the inference rules (attempts) of Simplification (ukbb). 
Constants Lemma, Implication Elimination, and Induction by expression value 
(by construction of such value). The resource is distributed between the goals 
in the simplest way (far from being optimal). 

Examples of What It Can and Cannot Do: the FAS strategy proves au- 
tomatically, with small resource cost, such tasks as, for example, (1) forall 
[N,M] (N+M = M+N) for the unary natural number arithmetics specified by re- 
cursive definitions, (2) reverse reverse xs = xs for the list reverse defined 
via concatenation, and the latter defined via CONS. But (2) needs a certain sim- 
ple lemma to be introduced as a hint. For although FAS proves the lemma and 
all the rest, it fails to guess to put this lemma as a subgoal. We intend to im- 
prove FAS to the extent that it will become capable of tasks like proving the 
equivalence of various sorting algorithms. 

Early Future Plans: to link the CA library to the prover (they are imple- 
mented in the same language), move OL from many-sorted TRW to order-sorted, 
add high-order operators, functoriality, develop AC completion, and develop fur- 
ther strategies (e.g. with setting an ordering on the subgoal formulas, heuristics 
for choosing the induction parameter) and special prover libraries (e.g. for the 
polynomial algebra). 
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